← Back to Skills Marketplace
External Receiver
by
kriouerlia
· GitHub ↗
· v1.0.0
· MIT-0
104
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install external-receiver
Description
通用外部数据接收 Skill。 在服务器上启动 HTTP 服务,接收外部文件上传和消息, 自动将内容推送到 OpenClaw 用户会话。 支持:文件上传、文本消息、Webhook JSON、curl / wget 客户端。
README (SKILL.md)
External Receiver
从外部接收文件 / 消息 → 推送到 OpenClaw 会话
功能
- 🌐 启动 HTTP 服务器(监听端口)
- 📁 接收文件上传(multipart/form-data)
- 💬 接收文本/JSON 消息
- → 自动转发到 OpenClaw 当前会话
快速使用
clawhub install external-receiver
cd skills/external-receiver
bash scripts/start.sh # 启动接收服务
端点
| 方法 | 路径 | 说明 |
|---|---|---|
| GET | / |
服务状态页 |
| GET | /health |
健康检查 |
| POST | /upload |
上传文件 |
| POST | /message |
发送文本消息 |
| POST | /webhook |
接收 JSON Webhook |
| GET | /download/\x3Cfilename> |
下载已接收文件 |
API 详情
上传文件
curl -X POST http://你的服务器:8080/upload \
-F "file=@/path/to/file.txt"
响应:
{
"ok": true,
"filename": "file.txt",
"size": 12345,
"path": "/home/user/.openclaw/workspace/received/file.txt"
}
发送文本消息
curl -X POST http://你的服务器:8080/message \
-d "text=Hello from outside!"
或 JSON:
curl -X POST http://你的服务器:8080/webhook \
-H "Content-Type: application/json" \
-d '{"text": "Webhook message", "from": "external-system"}'
OpenClaw 收到推送后自动显示
📥 收到外部消息:
Hello from outside!
📎 收到文件:
file.txt (12KB)
路径: /home/user/.openclaw/workspace/received/file.txt
配置
# 环境变量
export RECEIVER_PORT=8080 # 监听端口(默认 8080)
export RECEIVER_HOST=0.0.0.0 # 监听地址(默认 0.0.0.0)
export RECEIVER_DIR=/home/user/received # 文件存储目录
export RECEIVER_SECRET=your_secret_key # 访问密钥(可选)
安全建议
- ✅ 生产环境务必设置
RECEIVER_SECRET并在请求时附带 - ✅ 使用防火墙限制只开放 8080 端口给信任的 IP
- ✅ 定期清理
received/目录中的文件
Python 调用示例
import requests
# 发送消息
requests.post("http://服务器:8080/message", data={"text": "警报:价格突破"})
# 上传文件
with open("report.pdf", "rb") as f:
requests.post("http://服务器:8080/upload", files={"file": f})
# Webhook 方式
requests.post("http://服务器:8080/webhook", json={
"event": "trade",
"symbol": "BTC/USDT",
"side": "buy",
"amount": 0.01
})
Usage Guidance
This skill implements an HTTP file/message receiver, which is plausible for its description, but there are several red flags to consider before installing:
- Undeclared local config access: receiver_server.py reads ~/.openclaw/openclaw.json to extract a gateway auth token and may attempt a WebSocket connection using that token. This access to a local config/secrets file is not declared in the skill metadata. Inspect ~/.openclaw/openclaw.json to see what secrets it contains before running the skill.
- Undeclared persistent files: the skill writes notifications to ~/.openclaw/workspace/received/message_queue.jsonl and creates a received directory; these persistence locations are not listed in the registry metadata. If you want uploads stored elsewhere, set RECEIVER_DIR and confirm the server actually uses that path.
- Documentation / code mismatch: SKILL.md shows responses and default storage paths under ~/.openclaw/workspace/received, but the server's default RECEIVER_DIR (when not set) is skill-relative (../received). Confirm the actual storage location and update env vars accordingly.
- Network exposure: default host is 0.0.0.0 and default port 8080. If you run this on a publicly reachable host, require RECEIVER_SECRET and use firewall rules or a reverse proxy with TLS. The start script runs the server directly; consider running it inside a sandboxed container or private network.
- File handling: uploaded files are saved as-is (basename + timestamp) with no content inspection — avoid running or exposing uploaded files. Regularly clean the received directory and restrict who can POST to the endpoint.
Recommendations before use:
1) Review ~/.openclaw/openclaw.json contents and confirm you're comfortable the skill reading it and using any token inside. 2) Set RECEIVER_SECRET and firewall rules before exposing the server. 3) Set RECEIVER_DIR to a controlled location and verify the code writes there. 4) Run in an isolated environment (container/VM) if you don't trust the origin. 5) Ask the skill author to declare the config paths and token usage in registry metadata and to fix the documentation/code path inconsistencies.
Given these undeclared accesses and inconsistencies, proceed only after addressing or accepting these risks.
Capability Analysis
Type: OpenClaw Skill
Name: external-receiver
Version: 1.0.0
The skill implements an HTTP server (`receiver_server.py`) designed to receive files and messages from external sources and inject them into the OpenClaw agent's workspace and session. It is classified as suspicious because it introduces a significant attack surface by defaulting to listen on all network interfaces (`0.0.0.0`) and making authentication (`RECEIVER_SECRET`) optional, which could allow unauthorized remote actors to write files to the local filesystem or perform prompt injection via the message queue.
Capability Assessment
Purpose & Capability
The stated purpose (start an HTTP server to receive files/messages and push them into an OpenClaw session) matches the code: receiver_server.py implements /upload, /message, /webhook and writes notifications. However the skill also attempts to read OpenClaw gateway configuration (~/ .openclaw/openclaw.json) to obtain an auth token and connect to a local WebSocket — this access to local gateway credentials is not declared in the metadata and is not explicitly mentioned in SKILL.md (the doc only hints at WebSocket attempts).
Instruction Scope
SKILL.md instructs the user to run scripts/start.sh which runs receiver_server.py. The runtime instructions and code will: (1) accept arbitrary uploads and save them to RECEIVER_DIR, (2) write notifications into ~/.openclaw/workspace/received/message_queue.jsonl for the agent to read, and (3) read ~/.openclaw/openclaw.json to extract a gateway token and attempt a local WebSocket push. The code reads/writes files under the user's home directory that were not declared in requires.config, and the SKILL.md examples/documented paths are inconsistent with the code (the docs show paths under ~/.openclaw/workspace/received but the server's default RECEIVER_DIR is a skill-relative ../received).
Install Mechanism
There is no external download/install step and no remote code fetched at install time. The skill ships 3 script/code files and a start script; running the start script executes local Python code. No untrusted network installs are present in the manifest.
Credentials
No required environment variables are declared, but the code will respect optional RECEIVER_* env vars and will (without explicit metadata) access ~/.openclaw/openclaw.json to read a 'gateway'->'auth'->'token'. That means the skill can read a local configuration file that may contain sensitive tokens even though 'required config paths' or any credential access are not declared. The code also writes to ~/.openclaw/workspace/received/message_queue.jsonl (queue file) — this persistent file location is not declared in metadata either.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills, but it creates persistent files/directories under the user's home (~/.openclaw/workspace/received and a received directory), and will remain listening (network server) while run. It also tries to use a gateway websocket for immediate push if local config/token is present. These behaviors are expected for a receiver but are persistent and network-exposed by default (0.0.0.0:8080) unless the user changes env/config.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install external-receiver - After installation, invoke the skill by name or use
/external-receiver - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
v1.0.0: HTTP服务接收外部文件/消息,支持Webhook/文件上传,自动推送到OpenClaw会话,文件存储+队列机制
Metadata
Frequently Asked Questions
What is External Receiver?
通用外部数据接收 Skill。 在服务器上启动 HTTP 服务,接收外部文件上传和消息, 自动将内容推送到 OpenClaw 用户会话。 支持:文件上传、文本消息、Webhook JSON、curl / wget 客户端。 It is an AI Agent Skill for Claude Code / OpenClaw, with 104 downloads so far.
How do I install External Receiver?
Run "/install external-receiver" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is External Receiver free?
Yes, External Receiver is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does External Receiver support?
External Receiver is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created External Receiver?
It is built and maintained by kriouerlia (@kriouerlia); the current version is v1.0.0.
More Skills