← Back to Skills Marketplace
95
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install carkey1
Description
车辆信息查询技能。查询车辆位置、车况(车锁、车门、车窗、空调、电源状态等)。触发词:查车、车辆位置、车况、我的车在哪。跨平台支持 Linux/macOS/Windows。
README (SKILL.md)
何时使用
- 用户查询车辆位置:"我的车在哪"、"查一下车在哪"
- 用户查询车况信息:"车锁了吗"、"车窗关了吗"、"车辆状态"
- 用户需要提供认证信息时,引导输入
vehicleToken####accessToken
快速使用
方式 1:绝对路径(推荐 Agent 使用)
# 假设技能安装在 ~/.openclaw/workspace/skills/carkey
~/.openclaw/workspace/skills/carkey/scripts/vehicle-query.sh
~/.openclaw/workspace/skills/carkey/scripts/vehicle-query.sh position
~/.openclaw/workspace/skills/carkey/scripts/vehicle-query.sh condition
方式 2:相对路径(用户手动执行)
cd carkey
./scripts/vehicle-query.sh
./scripts/vehicle-query.sh position
./scripts/vehicle-query.sh condition
认证
格式: vehicleToken####accessToken(4 个 # 分隔)
首次使用会提示输入,自动缓存。
| 系统 | 缓存路径 |
|---|---|
| Linux/macOS | ~/.carkey_cache.json |
| Windows | %USERPROFILE%/.carkey_cache.json |
状态码
| 字段 | 值含义 |
|---|---|
| power | 0=熄火, 1=ACC, 2=ON |
| gear | 1=P, 2=N, 3=D, 4=R, 5=S |
| door/window/trunk | 0=关闭, 1=开启 |
| lock | 0=解锁, 1=上锁 |
错误处理
| 场景 | 处理 |
|---|---|
| 无缓存 | 引导用户提供 token |
| Token 过期 | 提示重新认证,删除旧缓存 |
| 请求失败 | 自动重试 2 次,30 秒超时 |
| 缺少依赖 | 提示安装 curl/jq |
系统支持
| 系统 | 依赖安装 |
|---|---|
| Linux (Ubuntu/Debian) | sudo apt-get install curl jq |
| Linux (CentOS/RHEL) | sudo yum install curl jq |
| macOS | brew install curl jq |
| Windows (Git Bash) | 已包含 |
| Windows (WSL) | wsl sudo apt-get install curl jq |
文件结构
carkey/
├── SKILL.md # 本文档
├── README.md # 详细说明
├── _meta.json # 元数据
└── scripts/
└── vehicle-query.sh # 查询脚本(跨平台)
Usage Guidance
This skill appears to be a vehicle-status query tool, not a remote-control tool — but the package title is misleading. Before installing: (1) confirm you trust the backend host (https://openapi.nokeeu.com) because your access token and vehicle token will be sent there; (2) be aware tokens and query history are stored in plaintext under your home directory (~/.carkey_cache.json and ~/.carkey_history.json) — delete or secure these files if you don't want persistent credentials; (3) if you need stronger guarantees, request the publisher's homepage or documentation, test with non-production/test credentials, or avoid giving real tokens until you verify the service operator.
Capability Analysis
Type: OpenClaw Skill
Name: carkey1
Version: 1.1.2
The skill contains a shell injection vulnerability in `scripts/vehicle-query.sh` because it unsafely embeds the `vehicleToken` variable directly into a double-quoted string within a `curl` command. A maliciously crafted token containing shell subshell syntax (e.g., `$(command)`) would be executed by the shell. Additionally, the script stores sensitive authentication tokens in plaintext in the user's home directory (`~/.carkey_cache.json`). While the overall logic aligns with the stated purpose of querying a vehicle API (openapi.nokeeu.com), these security flaws represent significant risks.
Capability Assessment
Purpose & Capability
The README/SKILL.md and script implement a vehicle information/query skill (location and condition). The package name/title implies "control" but there is no control/actuation API used — only a POST to /iot/v1/condition to fetch status. This naming mismatch is confusing and should be clarified.
Instruction Scope
Runtime instructions are limited to running the included shell script, prompting the user for a token (vehicleToken####accessToken), and caching results. The skill does not instruct reading unrelated system files or exfiltrating arbitrary host data. It does perform network calls to an external API as expected for its purpose.
Install Mechanism
There is no install spec — this is an instruction-only skill with an included shell script. Nothing in the package downloads or executes additional remote code. Risk is limited to executing the provided script locally.
Credentials
The skill asks the user for sensitive tokens (vehicleToken and accessToken) and stores them (and a query history) in plaintext files under the user's home directory (~/.carkey_cache.json and ~/.carkey_history.json). While no other credentials are requested, persisting tokens locally (and automatically sending them to an external API) is a privacy/security concern and should be justified/managed (e.g., encryption, TTL, manual deletion).
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It does create per-user cache and history files in the home directory, which is normal for CLI tools but is persistent and contains sensitive tokens.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install carkey1 - After installation, invoke the skill by name or use
/carkey1 - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.2
carkey v1.1.2 更新日志
- 优化了车辆信息查询技能文档,梳理了主要功能和使用场景
- 明确了认证信息格式,新增认证缓存与存储路径说明
- 增加了状态码详解及错误处理流程
- 提供了跨平台依赖安装指南与文件结构示意
- 收录常见问题及用户指令示例,提升易用性
Metadata
Frequently Asked Questions
What is Control your vehicle from AI agent?
车辆信息查询技能。查询车辆位置、车况(车锁、车门、车窗、空调、电源状态等)。触发词:查车、车辆位置、车况、我的车在哪。跨平台支持 Linux/macOS/Windows。 It is an AI Agent Skill for Claude Code / OpenClaw, with 95 downloads so far.
How do I install Control your vehicle from AI agent?
Run "/install carkey1" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Control your vehicle from AI agent free?
Yes, Control your vehicle from AI agent is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Control your vehicle from AI agent support?
Control your vehicle from AI agent is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Control your vehicle from AI agent?
It is built and maintained by Kuikui (@lkisme); the current version is v1.1.2.
More Skills