← Back to Skills Marketplace

shixinchao

Name: shixinchao
Author: roarday

by RoarDay · GitHub ↗ · v1.0.1 · MIT-0

cross-platform ⚠ suspicious

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install shixinchao

Description

测试-史新超

Usage Guidance

This skill is suspiciously inconsistent rather than overtly malicious. Before installing or providing secrets: (1) Do not provide your real API key yet — the registry metadata does not declare API_KEY. (2) Inspect and fix the code: program.py currently sets api_key = "" instead of reading os.environ['API_KEY'] (or similar), so authentication will fail or send an empty bearer token. (3) Confirm streaming behavior: requests.post is called with stream=False while the code iterates response.iter_lines() expecting SSE; change to stream=True and handle SSE properly. (4) Remember that user questions (potentially sensitive) will be sent to the external domain developer.jointpilot.com; only use a scoped/test key and review the remote service's privacy policies. (5) If you are not the developer, ask the publisher to (a) update the registry metadata to declare API_KEY as required, (b) correct program.py to read the env var and handle streaming, and (c) document what data is sent to the external API. If these issues are not resolved, treat the skill as untrusted.

Capability Analysis

Type: OpenClaw Skill Name: shixinchao Version: 1.0.1 The skill bundle is a test implementation for interacting with the JointPilot AI API (developer.jointpilot.com). While the Python script (scripts/program.py) contains a functional bug where it fails to actually retrieve the API_KEY from the environment as described in SKILL.md, the code logic is limited to standard API request handling and SSE stream parsing. There is no evidence of data exfiltration, malicious execution, or prompt injection.

Capability Tags

requires-oauth-token

Capability Assessment

⚠ Purpose & Capability

The SKILL.md and scripts indicate the skill is a thin client for the jointpilot async_chat API (Q&A/streaming). That purpose is reasonable for the declared functionality. However, the registry metadata lists no required environment variables while SKILL.md declares an API_KEY is required — a clear mismatch between what the skill says it needs and what the registry requests. This inconsistency suggests the package was not packaged correctly.

⚠ Instruction Scope

SKILL.md instructs the agent to call scripts/program.py and to read API_KEY from the environment, and it references an external endpoint (https://developer.jointpilot.com/...). Those instructions are within scope for a remote Q&A skill. The problem: the included script does not actually read the API_KEY from the environment (it sets api_key = ""), and the script calls requests.post with stream=False while parsing SSE lines — another implementation mismatch. These instruction/code inconsistencies mean the runtime behavior will not match the documented behavior and could leak or fail in unexpected ways.

✓ Install Mechanism

No install spec is provided (instruction-only with a bundled script). This is low risk from an installation perspective because nothing arbitrary is downloaded at install time.

⚠ Credentials

SKILL.md requires a single sensitive env var (API_KEY) for bearer authentication to the external API — that is proportionate to the skill's purpose. However, the skill registry does not declare this required env var, and the program.py currently does not read the env var. The mismatch means user's API key may not be used as intended (or may be accidentally omitted), and the registry failing to declare the secret makes it easy to miss during review.

✓ Persistence & Privilege

The skill is not always-enabled and does not request elevated or persistent platform privileges. Autonomous invocation is allowed (the platform default), which is normal for skills. No modifications to other skills or global agent settings are present.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install shixinchao
After installation, invoke the skill by name or use /shixinchao
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.1

- Skill 名称与描述由“shixinchao”更新为“测试-史新超” - 其余功能和依赖保持不变

v1.0.0

Initial release of shixinchao skill. - Adds intelligent Q&A, context understanding, and streaming output capabilities. - Automatically triggers on user questions. - Requires Python dependency: requests==2.31.0. - Needs environment variable API_KEY for API calls. - Provides standard script integration for seamless API interaction.

Metadata

Slug shixinchao

Version 1.0.1

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 2

Frequently Asked Questions

What is shixinchao?

测试-史新超. It is an AI Agent Skill for Claude Code / OpenClaw, with 86 downloads so far.

How do I install shixinchao?

Run "/install shixinchao" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is shixinchao free?

Yes, shixinchao is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does shixinchao support?

shixinchao is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created shixinchao?

It is built and maintained by RoarDay (@roarday); the current version is v1.0.1.

More Skills