← Back to Skills Marketplace
qwencloud-ops-auth
by
Cuixiaoyang123
· GitHub ↗
· v0.2.0
· MIT-0
149
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install qwencloud-ops-auth
Description
[QwenCloud] Configure authentication (API keys, endpoints). TRIGGER when: setting up QWEN_API_KEY, troubleshooting 401/auth errors, when another skill report...
Usage Guidance
This skill appears to be a legitimate QwenCloud auth helper, but there are two things to watch for before installing or allowing it to run autonomously: (1) the registry metadata claims no required environment variables while the SKILL.md clearly uses sensitive credentials (DASHSCOPE_API_KEY and optional OSS keys) — treat that mismatch as a red flag and prefer skills whose registry metadata lists required secrets, and (2) the skill's compatibility instructions include appending registration blocks to agent/project config files; always require explicit user consent before the skill edits any files. Additional steps you can take: review the skill text yourself to confirm it never prints keys (it states this explicitly), restrict the agent from making file edits unless you approve each change, and keep your real API keys out of clipboard/agent prompts (follow the skill's own advice to place placeholders in .env and enter keys manually). If you need higher assurance, ask the skill author to update registry metadata to declare DASHSCOPE_API_KEY (and any OSS creds) as required/primary and to provide a non-modifying instructions-only mode for verification.
Capability Analysis
Type: OpenClaw Skill
Name: qwencloud-ops-auth
Version: 0.2.0
The skill manages QwenCloud authentication but directs users to a non-official domain (qwencloud.com) for API key management instead of the official Alibaba Cloud console (aliyun.com). It also includes 'MANDATORY' post-execution instructions in SKILL.md that prompt the agent to install additional software via npx and execute a script (gossamer.py) not provided in the bundle. These behaviors, along with instructions in references/agent-compatibility.md to modify project configuration files (CLAUDE.md, AGENTS.md), represent significant security risks including potential credential misdirection and unauthorized environment modification.
Capability Tags
Capability Assessment
Purpose & Capability
The SKILL.md clearly documents QwenCloud authentication flows, required environment variables (DASHSCOPE_API_KEY / QWEN_API_KEY, QWEN_TMP_OSS_*, OSS credentials) and behaviours for key types — all consistent with an auth helper. However, the registry metadata reports no required environment variables or primary credential, which contradicts the skill's own requirements (it effectively requires a Qwen API key and optional OSS credentials to verify/configure). That metadata mismatch is a substantive incoherence: a user would reasonably expect the registry to declare at least DASHSCOPE_API_KEY as required/primary.
Instruction Scope
Runtime instructions are detailed and generally scoped to auth setup (how to create .env placeholders, env var precedence, key-type checks, checking endpoints, and verification via curl). They also include steps to search for agent config files and guidance to append a registration block to agent configs (with 'ask the user before modifying any file'). While these actions are relevant to enabling skill compatibility, they require filesystem access and modifying user config files. The skill forbids outputting keys in plaintext and instructs to never ask users to paste keys — a positive safety posture. Still, the agent is given discretion to create/append config blocks and to detect repo roots which is sensitive and should be confirmed with the user.
Install Mechanism
This is an instruction-only skill with no install spec or downloadable code, so it doesn't write code to disk beyond any user-approved config edits. That lowers install-time risk.
Credentials
The SKILL.md declares multiple sensitive environment variables and credential names (DASHSCOPE_API_KEY, QWEN_TMP_OSS_AK_ID / AK_SECRET, OSS_ACCESS_KEY_ID / SECRET) which are appropriate for configuring QwenCloud + custom OSS, but the registry metadata lists no required env vars or primary credential. This mismatch is problematic because the skill will act on secrets that the registry did not advertise. The guidance to never output keys in plaintext mitigates exfiltration risk, but the skill legitimately needs at least one API key — the absence of that in the declared metadata is an incoherence the user should notice.
Persistence & Privilege
The skill does not request always:true and uses normal autonomous invocation defaults. However, it explicitly includes instructions to append a marker and a skills table into agent/project config files (e.g., CLAUDE.md, ~/.claude/CLAUDE.md, AGENTS.md) to register itself and sibling skills. The SKILL.md says to ask the user before modifying files, which is good, but any automated or mistaken file modification could persist skill registration system-wide. Users should be asked for consent before such edits.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install qwencloud-ops-auth - After installation, invoke the skill by name or use
/qwencloud-ops-auth - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.2.0
qwencloud-ops-auth v0.2.0
- Added official QwenCloud billing, usage, and analytics console URLs for both Standard and Coding Plan keys.
- Clarified that only the specific listed billing/console URLs should ever be provided—no guessing or creating links.
- Instructed users to use the qwencloud-usage skill or official console pages for usage and billing.
- No changes to code or functionality; documentation only.
v0.1.0
qwencloud-ops-auth v0.1.0 — Initial release
- Adds detailed setup instructions for QwenCloud API authentication, supporting both environment variables and `.env` files.
- Enforces security best practices: never output or ask for API keys in plaintext, and always guide users to configure keys securely.
- Describes the priority order for loading credentials and handling different API key types (Standard vs Coding Plan).
- Provides specific troubleshooting steps for 401/authentication errors and guidance on credential verification.
- Includes compatibility notes and references for agents that require manual skill registration.
Metadata
Frequently Asked Questions
What is qwencloud-ops-auth?
[QwenCloud] Configure authentication (API keys, endpoints). TRIGGER when: setting up QWEN_API_KEY, troubleshooting 401/auth errors, when another skill report... It is an AI Agent Skill for Claude Code / OpenClaw, with 149 downloads so far.
How do I install qwencloud-ops-auth?
Run "/install qwencloud-ops-auth" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is qwencloud-ops-auth free?
Yes, qwencloud-ops-auth is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does qwencloud-ops-auth support?
qwencloud-ops-auth is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created qwencloud-ops-auth?
It is built and maintained by Cuixiaoyang123 (@cuixiaoyang123); the current version is v0.2.0.
More Skills