← 返回 Skills 市场

Affinity Readonly

Name: Affinity Readonly
Author: howdymarc

作者 howdymarc · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

250

总下载

当前安装

版本数

在 OpenClaw 中安装

/install affinity-readonly

功能描述

Read-only Affinity CRM access for analysis and memo prep. Use when you need to fetch Affinity companies, people, notes, opportunities, interactions, or relat...

使用说明 (SKILL.md)

Affinity Read-Only

Use this skill for Affinity analysis tasks from chat or Slack.

Hard rules

Use GET requests only.
Never call POST, PUT, PATCH, or DELETE.
Never change stages, notes, tags, companies, or people.
Never print, log, or echo AFFINITY_API_KEY.
If a request requires modification, stop and ask for explicit approval.

Prerequisite

AFFINITY_API_KEY must be set in local environment.

Quick check:

zsh -lc '[[ -n "$AFFINITY_API_KEY" ]] && echo "AFFINITY_API_KEY is set" || echo "AFFINITY_API_KEY is not set"'

API helper

Use the bundled script:

./skills/affinity-readonly/scripts/affinity_get.sh "/companies" "page_size=25"
./skills/affinity-readonly/scripts/affinity_get.sh "/persons" "term=Driven%20Plastics"
./skills/affinity-readonly/scripts/affinity_get.sh "/notes" "person_id=12345"

Arg 1: endpoint path beginning with /
Arg 2 (optional): query string without leading ?
Base URL defaults to https://api.affinity.co and can be overridden with AFFINITY_API_BASE

Workflow

Confirm task is analysis-only.
Fetch only required records with affinity_get.sh.
Summarize evidence with IDs/timestamps when available.
If data appears incomplete, request clarifying filters (date range, company, person).
Refuse any write/update request unless user explicitly approves and policy is changed.

安全使用建议

This skill appears to do what it says (make read-only GET calls to Affinity) and the script does not print the API key, but there are a few things to check before installing: 1) Confirm the registry metadata is updated to declare AFFINITY_API_KEY as a required environment variable (the SKILL.md and script require it). 2) Use a least-privilege Affinity API key (read-only scope) — do not use an admin key. 3) Ensure AFFINITY_API_BASE is not set to an untrusted URL (because the script will send the API key to whatever base URL is configured). 4) Verify the skill's source/homepage and publisher identity (no homepage provided here) or test the script in a sandbox first. If those checks are satisfied, the skill is likely acceptable; if the publisher cannot justify the metadata mismatch or if AFFINITY_API_BASE is uncontrolled, do not install.

功能分析

Type: OpenClaw Skill Name: affinity-readonly Version: 1.0.0 The skill provides a legitimate read-only interface for the Affinity CRM API, consistent with its stated purpose. The helper script `scripts/affinity_get.sh` correctly handles authentication via environment variables and defaults to the official API endpoint (api.affinity.co). Furthermore, the `SKILL.md` file includes explicit safety instructions for the AI agent to prevent unauthorized write operations and protect the API key from being logged or exposed.

能力评估

ℹ Purpose & Capability

The name/description promise read-only Affinity access and the included script plus SKILL.md implement that: GET-only requests to the Affinity API using a Bearer token. However, the published registry metadata lists no required environment variables while SKILL.md and the script require AFFINITY_API_KEY (and optionally AFFINITY_API_BASE). This mismatch is an incoherence that should be corrected.

✓ Instruction Scope

SKILL.md enforces GET-only behavior and the script performs only curl --get requests with Accept: application/json and Authorization: Bearer <key>. The instructions do not direct reading unrelated files or sending data to unexpected endpoints (beyond the base URL).

✓ Install Mechanism

No install spec and only a small bundled shell script are provided, so nothing is downloaded or installed at runtime. Risk from install mechanism is low.

⚠ Credentials

The script and SKILL.md require AFFINITY_API_KEY (and allow overriding AFFINITY_API_BASE), but the registry metadata lists no required env vars — this omission is problematic. Also, because AFFINITY_API_BASE is an override, a malicious or misconfigured value could cause the script to send the API key to an attacker-controlled host; ensure AFFINITY_API_KEY is a read-only-scoped key and that AFFINITY_API_BASE is not set to an untrusted endpoint.

✓ Persistence & Privilege

always:false and no requests to modify agent configuration or other skills. Autonomous invocation is allowed by default (normal) and does not by itself increase risk given the limited scope, but users should be aware the agent could call the skill when relevant.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install affinity-readonly
安装完成后，直接呼叫该 Skill 的名称或使用 /affinity-readonly 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

- Initial release of affinity-readonly skill. - Provides read-only Affinity CRM access for analysis and memo preparation. - Enforces GET-only operations—no modifications allowed. - Never exposes or logs API keys. - Includes helper script for fetching companies, people, notes, opportunities, and related data via Affinity API.

元数据

Slug affinity-readonly

版本 1.0.0

许可证 MIT-0

累计安装 1

当前安装数 1

历史版本数 1

常见问题