← Back to Skills Marketplace
82
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install mihomo-proxy
Description
管理 mihomo (Clash Meta) 代理服务。当用户需要配置、更新、重启代理、切换节点、更新订阅或排查代理连接问题时使用。适用于已有 mihomo 二进制和配置的 Linux 服务器。
Usage Guidance
This skill appears to do what it says (generate mihomo config from a subscription and manage the service), but proceed carefully: 1) It requires node, curl, and systemctl though the metadata doesn't declare them — ensure those are present and you understand why. 2) The included script executes curl via a shell command using the provided subscription URL without sufficient escaping, creating a command-injection risk if the URL is maliciously crafted. Only use subscription URLs from trusted providers and avoid copying untrusted links. 3) The skill writes to /opt/mihomo-config/config.yaml and restarts systemd services, so it needs appropriate privileges; back up your existing config before running. 4) If you plan to use this, consider reviewing or patching scripts: replace execSync with a safe HTTP client (e.g., node https/axios or child_process.execFile) or properly sanitize/escape the URL, and run the tool as a non-root user or in a sandbox. 5) If you are not comfortable auditing or patching the code, treat the skill as potentially dangerous and avoid installing it on production systems.
Capability Analysis
Type: OpenClaw Skill
Name: mihomo-proxy
Version: 1.0.0
The skill bundle contains a critical shell injection vulnerability in `scripts/gen_config.js` where the `execSync` function is used to execute a `curl` command with an unsanitized subscription URL. While the tool's stated purpose of managing a Mihomo proxy service is legitimate, the lack of input validation allows for arbitrary command execution if a malicious URL is provided. Additionally, the skill requires high privileges to modify files in `/opt` and manage systemd services, increasing the impact of the vulnerability.
Capability Assessment
Purpose & Capability
The skill's name, description, SKILL.md and included script align with managing mihomo and generating config from subscription feeds. However the package metadata declares no required binaries while the instructions and script clearly expect systemctl, curl, and node (and an existing /opt/mihomo binary and /opt/mihomo-config path). The missing declared runtime dependencies is an inconsistency users should note.
Instruction Scope
Instructions and the script operate within the expected domain (download subscription, parse nodes, write /opt/mihomo-config/config.yaml, restart mihomo). However the script runs a shell curl via execSync using the user-supplied subscription URL inside a template literal: execSync(`curl -sL '${subUrl}' -o ${SUB_FILE}`); this is susceptible to shell/command injection if the URL contains crafted characters (e.g., single quotes or shell metacharacters). The skill also causes writes to system paths and restarts systemd services — expected for this purpose but high-privilege actions that should be run only with trusted inputs and appropriate privileges.
Install Mechanism
This is an instruction-only skill with no install spec, which is low risk for supply-chain installs. But it requires a node runtime to run scripts and curl/systemctl to be present; those runtime requirements are not declared in the metadata.
Credentials
The skill requests no credentials or environment variables and does not attempt to read unrelated secrets. It does read /tmp/sub_raw.txt and write /opt/mihomo-config/config.yaml and assumes permission to restart the mihomo service — these filesystem and service accesses are proportional to managing a local proxy service.
Persistence & Privilege
The skill is not marked always:true and does not request permanent platform-level presence. It writes a configuration file and restarts the mihomo systemd service (expected behavior for this purpose) but does not modify other skills or global agent settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install mihomo-proxy - After installation, invoke the skill by name or use
/mihomo-proxy - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
初始发布
Metadata
Frequently Asked Questions
What is mihomo-proxy?
管理 mihomo (Clash Meta) 代理服务。当用户需要配置、更新、重启代理、切换节点、更新订阅或排查代理连接问题时使用。适用于已有 mihomo 二进制和配置的 Linux 服务器。 It is an AI Agent Skill for Claude Code / OpenClaw, with 82 downloads so far.
How do I install mihomo-proxy?
Run "/install mihomo-proxy" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is mihomo-proxy free?
Yes, mihomo-proxy is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does mihomo-proxy support?
mihomo-proxy is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created mihomo-proxy?
It is built and maintained by LflyIce (@lflyice); the current version is v1.0.0.
More Skills