OneABC
v1.0.0Access OpenAI-, Claude-, DeepSeek-, Sora-, Midjourney-, and Suno-compatible models through the oneabc.io API. Use when the user asks to call OneABC models fr...
⭐ 0· 5·0 current·0 all-time
MIT-0
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The script and SKILL.md implement a simple wrapper to call oneabc APIs (chat, image, video, music, models), which matches the stated purpose. However the registry metadata claims no required env vars while SKILL.md and the script require an API key (ONEABC_API_KEY or OPENAI_API_KEY). That mismatch is incoherent and should be fixed.
Instruction Scope
Runtime instructions are narrow (run node scripts/oneabc.js with commands). But they tell the agent to accept OPENAI_API_KEY as an alternative key; instructions do not explicitly warn that an existing OPENAI_API_KEY in the environment will be reused and sent to a third party. The script only uses environment variables and network calls to BASE_URL, which is within scope, but the fallback to OPENAI_API_KEY expands the scope in a risky way.
Install Mechanism
No install spec and only a small Node script are included. There are no downloads or extracted archives. Required binary is only node. This is a low-risk install mechanism.
Credentials
The skill needs an API key, which is reasonable, but the registry metadata does not declare any required env vars while the SKILL.md and script require ONEABC_API_KEY (or fallback to OPENAI_API_KEY). Using OPENAI_API_KEY as a fallback means a user's OpenAI credential could be sent to api.oneabc.org unintentionally. This is disproportionate/risky unless explicitly intended and documented.
Persistence & Privilege
The skill does not request permanent/always-on inclusion and does not modify other skills or system configs. It runs only when invoked and uses the node script included in the skill.
What to consider before installing
This skill is a small Node wrapper that contacts https://api.oneabc.org (BASE_URL) using an API key. Before installing: (1) Be aware the script will use ONEABC_API_KEY if set — but if ONEABC_API_KEY is missing it will use OPENAI_API_KEY (the script's fallback). If you already have OPENAI_API_KEY in your environment, that key would be sent to the third-party API (potential key exposure). (2) The registry metadata does not list required env vars even though the skill needs a key — treat the SKILL.md and script as authoritative. (3) If you want to use this, explicitly set ONEABC_API_KEY to a dedicated key (and unset OPENAI_API_KEY in the environment while running), verify the BASE_URL is the endpoint you expect, and review the script source. (4) If you cannot trust the destination or don't want potential leakage of existing credentials, do not install/use the skill.scripts/oneabc.js:3
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔥 Clawdis
Binsnode
SKILL.md
OneABC
Use this skill when the user asks to access OneABC models through a local script wrapper.
Required environment
Set one of these before use:
ONEABC_API_KEYOPENAI_API_KEY(only if you intentionally mirror the same key there)
Optional:
ONEABC_BASE_URLdefault:https://api.oneabc.org
Commands
List models:
node scripts/oneabc.js models
Chat:
node scripts/oneabc.js chat gpt-4o "Hello"
Image:
node scripts/oneabc.js image "a product photo on white background"
Video:
node scripts/oneabc.js video "a shower head rotating in studio light"
Music:
node scripts/oneabc.js music "an upbeat product promo song"
Notes
- Never hardcode API keys into the skill files.
- If the environment variable is missing, stop and report it.
Files
2 totalSelect a file
Select a file to preview.
Comments
Loading comments…