功能描述

Respond to user requests for AIOZ Pin API. Use provided scripts to manage API keys, pin files to IPFS, track usage, and more.

使用说明 (SKILL.md)

AIOZ Pin Operations

Name: AIOZ Pin Toolkit
Author: namle-aioz

Interact with AIOZ Pin API quickly with API key authentication. A suite of integrated bash scripts is provided to automatically call REST APIs for pinning files, managing API keys, and tracking usage.

When to use this skill

User wants to pin files to IPFS or pin by CID hash
User mentions "pin file", "pin to IPFS", "unpin", or "IPFS pinning"
User wants to generate, list, or delete AIOZ Pin API keys
User wants to retrieve pin details or list all pinned content
User wants to check usage data, top-ups, or billing information
User wants to manage AIOZ Pin resources

Authentication

This skill uses API key authentication via environment variables:

PINNING_API_KEY: Your AIOZ Pin API key (provided by the platform)
PINNING_SECRET_KEY: Your AIOZ Pin secret key (provided by the platform)
AIOZ_JWT_TOKEN: Your AIOZ Pin JWT token (for API key management operations)

Credential-safe policy:

Prefer credentials from secure environment injection.
If missing, ask the user for credentials and set them as temporary environment variables.
Never hardcode keys in command examples, logs, or responses.
Avoid inline one-off commands that contain raw secrets.

⚠️ Critical Security Notice:

Never pass credentials as CLI arguments. Credentials passed as positional arguments become visible in ps listings, shell history (.bash_history, .zsh_history), and process environment dumps.
All scripts must read credentials from environment variables only. Do not manually pass PINNING_API_KEY, PINNING_SECRET_KEY, or AIOZ_JWT_TOKEN as script arguments.
If a script prompts for credentials or accepts them as arguments, that is a violation of this policy.

If credentials are not present in the shell session, set them once before running any scripts:

export PINNING_API_KEY="YOUR_PINNING_API_KEY"
export PINNING_SECRET_KEY="YOUR_PINNING_SECRET_KEY"
export AIOZ_JWT_TOKEN="YOUR_JWT_TOKEN"  # if needed for API key management

Header mapping used by scripts (credentials read from env vars internally):

PINNING_API_KEY → pinning-api-key header
PINNING_SECRET_KEY → pinning-secret-key header
AIOZ_JWT_TOKEN → Authorization: Bearer header

This keeps credentials out of repeated command history and avoids accidental exposure.

Usage Options (Available Scripts)

When the user asks for a feature, use one of the bash scripts located in the scripts/ directory.

Prerequisite: All scripts read credentials from environment variables. Ensure these are set before executing any script:

export PINNING_API_KEY="YOUR_KEY"
export PINNING_SECRET_KEY="YOUR_SECRET"
export AIOZ_JWT_TOKEN="YOUR_JWT"  # for API key management only

Script Routing Map (for Clawbot)

All scripts below assume credentials are available in the environment (set via export). Do not pass credentials as CLI arguments.

Pinning Operations

Pin file by URL: ./scripts/pin_files_or_directory.sh FILE_URL
Pin by CID hash: ./scripts/pin_by_cid.sh CID_HASH [METADATA_NAME]
Get pin details: ./scripts/get_pin_details.sh PIN_ID
List pins: ./scripts/list_pins.sh [OFFSET] [LIMIT] [PINNED] [SORT_BY] [SORT_ORDER]
Unpin file: ./scripts/unpin_file.sh PIN_ID

API Key Management (JWT)

Generate new API key: ./scripts/generate_api_key.sh KEY_NAME [admin] [pinList] [nftList] [unpin] [pinByHash] [pinFileToIPFS] [unpinNFT] [pinNFTToIPFS]
List all API keys: ./scripts/get_list_api_keys.sh
Delete API key: ./scripts/delete_api_key.sh KEY_ID

Usage & Billing

Get history usage data: ./scripts/get_history_usage_data.sh [OFFSET] [LIMIT]
Get top-up data: ./scripts/get_top_up.sh [OFFSET] [LIMIT]
Get monthly usage data: ./scripts/get_month_usage_data.sh [OFFSET] [LIMIT]

1. Pin Files to IPFS

Use this script to pin a file by URL to IPFS:

./scripts/pin_files_or_directory.sh "https://example.com/file.zip"

Actual behavior in script:

Accepts public downloadable URL.
Downloads file and pins to IPFS via AIOZ Pin service.
Returns pin ID and CID hash.

2. Pin by CID Hash

To pin existing content by its IPFS CID:

./scripts/pin_by_cid.sh "QmHash..." "optional-name"

CID_HASH: The IPFS content hash to pin
METADATA_NAME: Optional name for the pinned content

3. API Key Management (JWT Flow)

Use these scripts to manage AIOZ Pin API keys:

# Generate API key with permissions:
./scripts/generate_api_key.sh "my-key" false true false false true true false false

# List API keys:
./scripts/get_list_api_keys.sh

# Delete API key:
./scripts/delete_api_key.sh "KEY_ID"

Actual behavior in scripts:

generate_api_key.sh calls POST /api/apikeys/create with permission flags.
Default permission values are false if not provided.
get_list_api_keys.sh calls GET /api/apikeys and returns list of keys.
delete_api_key.sh calls DELETE /api/apikeys/{keyId} and removes the key.

4. Pin Details & Management

To inspect, list, and manage pins:

Get Pin Details: ./scripts/get_pin_details.sh PIN_ID
- Calls GET /api/pinning/{pinId}
- Returns pin status, CID, size, creation date
List Pins: ./scripts/list_pins.sh [OFFSET] [LIMIT] [PINNED] [SORT_BY] [SORT_ORDER]
- Calls GET /api/pinning/pins?offset=...&limit=...
- Defaults: OFFSET=0, LIMIT=10, PINNED=true, SORT_BY=name, SORT_ORDER=ASC
Unpin File: ./scripts/unpin_file.sh PIN_ID
- Calls DELETE /api/pinning/unpin/{pinId}
- Removes pin from AIOZ Pin service

5. Usage & Billing Data

To retrieve usage and top-up data:

History Usage: ./scripts/get_history_usage_data.sh [OFFSET] [LIMIT]
- Calls GET /api/usage/history?offset=...&limit=...
- Returns detailed usage history with timestamps
Top-up Data: ./scripts/get_top_up.sh [OFFSET] [LIMIT]
- Calls GET /api/usage/topup?offset=...&limit=...
- Returns top-up transaction history
Monthly Usage: ./scripts/get_month_usage_data.sh [OFFSET] [LIMIT]
- Calls GET /api/usage/month?offset=...&limit=...
- Returns this month's usage statistics

Pagination notes:

OFFSET default is 0
LIMIT default is 10

Full Pinning Flow (Common Operational Path)

For a typical pin lifecycle, use this sequence:

Setup: Ensure credentials are in the environment before executing any scripts:

export PINNING_API_KEY="YOUR_KEY"
export PINNING_SECRET_KEY="YOUR_SECRET"

Operational steps:

Pin a file or CID
Get pin details to verify status
List pins to check all pinned content
Unpin when no longer needed

Step 1: Pin File by URL

./scripts/pin_files_or_directory.sh "https://example.com/file.zip"

Response: extract pinId and cid from the response.

Step 2: Check Pin Details

After pinning, verify the pin status:

./scripts/get_pin_details.sh "PIN_ID"

Response includes: status (active/pending), CID, file size, created date.

Step 3: List All Pins

To see all pinned content:

./scripts/list_pins.sh 0 10 true name ASC

Response: paginated list of all pins with metadata.

Step 4: Unpin Content

When done, remove the pin:

./scripts/unpin_file.sh "PIN_ID"

Confirms deletion.

Manual cURL Reference

(For reference only; prefer using provided scripts)

Prerequisites: These examples assume environment variables are set:

export PINNING_API_KEY="YOUR_KEY"
export PINNING_SECRET_KEY="YOUR_SECRET"
export AIOZ_JWT_TOKEN="YOUR_JWT"

All credentials are referenced as $VARIABLE_NAME (shell expansion) — never hardcoded.

Pin File by URL

curl -s -X POST "https://api.aiozpin.network/api/files/pin?fileUrl=https://example.com/file.zip" \
  -H "pinning-api-key: $PINNING_API_KEY" \
  -H "pinning-secret-key: $PINNING_SECRET_KEY" \
  -H "Content-Type: application/json"

Generate API Key (JWT)

curl -s -X POST "https://api.aiozpin.network/api/apikeys/create?keyName=my-key&admin=false&pinList=true&nftList=false&unpin=false&pinByHash=true&pinFileToIPFS=true&unpinNFT=false&pinNFTToIPFS=false" \
  -H "Authorization: Bearer $AIOZ_JWT_TOKEN" \
  -H "Content-Type: application/json"

List Pins

curl -s "https://api.aiozpin.network/api/pinning/pins?offset=0&limit=10&pinned=true&sortBy=name&sortOrder=ASC" \
  -H "pinning-api-key: $PINNING_API_KEY" \
  -H "pinning-secret-key: $PINNING_SECRET_KEY"

Response Handling

Run the appropriate script from the scripts/ directory.
Pin/Search scripts return raw JSON: pin_files_or_directory, pin_by_cid, get_pin_details, list_pins
API Key scripts return structured output with key metadata and permissions
Usage/Billing scripts return paginated data with timestamps and amounts
Extract and return useful fields explicitly: pin IDs, CID hashes, status, URLs, balances. If pin status is pending, inform the user to check again later.

Error Handling

401 Unauthorized: Invalid API keys. Verify that PINNING_API_KEY and PINNING_SECRET_KEY are correctly set in the environment (e.g., echo $PINNING_API_KEY).
Missing Parameters: Scripts validate arguments; pass exactly what they require.
Credential exposure warnings: If you accidentally pass credentials as CLI arguments, immediately revoke those keys from your AIOZ Pin account and generate new ones. Credentials in commands are visible via ps, shell history files, and process environment listings.
404: Resource not found (invalid pin ID or key ID).
500: Server error; suggest retrying.
Connection timeout/refused: API endpoint may be unavailable; retry and verify https://api.aiozpin.network/api/ accessibility.

Example Interaction Flow

User: "Pin this file to IPFS"
Verify environment setup: Confirm that PINNING_API_KEY and PINNING_SECRET_KEY are already set in the shell environment. If missing, ask the user for their credentials and set them via:
```
export PINNING_API_KEY="..."
export PINNING_SECRET_KEY="..."
```
Do not pass these as script arguments.
Ask for the file URL
Execute: ./scripts/pin_files_or_directory.sh "FILE_URL" (credentials come from environment)
Extract the returned pin ID and CID
Return the pin information to the user
Offer optional follow-up: check details (get_pin_details.sh) or list pins (list_pins.sh)

安全使用建议

This toolkit appears to implement the pinning and API-key operations it advertises, but there are several red flags you should consider before installing or using it: - Metadata & provenance: The registry metadata (owner id/required env) does not match _meta.json/README. Confirm the publisher/owner before trusting the package. - Secret handling mismatch: SKILL.md says "never pass credentials as CLI arguments; use environment variables only", but most scripts accept credentials as positional arguments and many README examples show passing them that way. If an agent or user invokes these scripts with secrets as args, those secrets can end up in process listings (ps), shell history, or logs. Prefer setting credentials in secure environment injection and verify scripts actually read env vars rather than argv. - Action items to reduce risk: - Inspect the scripts locally before running. Consider editing them so they read only from env vars (e.g., PINNING_API_KEY=${PINNING_API_KEY:-$1} and then error if env var not set). - Avoid running with credentials as positional args. Export env vars in a secure session and confirm with a dry run that the script uses them. - Verify endpoints (api.aiozpin.network) are legitimate and match your account's documentation. - If you need API-key management, prefer using the JWT flow with tokens set as environment variables and confirm that the agent will not echo or log tokens. - If you are unsure about provenance, ask the publisher for clarification or obtain official tools from the AIOZ Pin project/site. Given the contradictions between documentation and code, treat this package as suspicious until the credential-handling behavior and author identity are clarified.

能力评估

⚠ Purpose & Capability

The name/description (AIOZ Pin Toolkit for pinning and API key management) aligns with the included scripts and endpoints (api.aiozpin.network). However there are metadata inconsistencies: the top-level registry metadata claims no required env vars while SKILL.md, README.md, and _meta.json declare PINNING_API_KEY, PINNING_SECRET_KEY, and AIOZ_JWT_TOKEN. The README/_meta.json ownerId (aioz-pin-mcp-server) differs from the registry owner id/slug. These mismatches reduce trust in provenance and packaging.

⚠ Instruction Scope

SKILL.md strongly admonishes that credentials must be read from environment variables and never passed as CLI arguments. In practice, the shipped scripts are written to accept credentials as positional arguments (many scripts expect PINNING_API_KEY / PINNING_SECRET_KEY / JWT_TOKEN as argv). Some examples in README also show passing credentials as arguments. This is an explicit contradiction: the runtime instructions forbid a practice that the scripts themselves permit/expect. That inconsistency could cause the agent or a user to accidentally pass secrets on the command line (exposed in ps output, shell history, CI logs). Otherwise, the scripts' actions (pin/unpin, list, billing, API key mgmt) stay within the stated domain.

✓ Install Mechanism

There is no install spec; the package is instruction/script-based and uses only standard tools (bash, curl, jq). No external downloads or unusual install steps are present. This is low-risk from an installation/execution-supply perspective.

⚠ Credentials

Requesting PINNING_API_KEY, PINNING_SECRET_KEY, and AIOZ_JWT_TOKEN is proportionate to pinning and API-key-management operations. The problem is inconsistency across manifests: the registry summary omitted required env vars while SKILL.md and _meta.json list them. Moreover, the scripts' CLI-argument interfaces make it easy to leak those secrets if callers follow the examples in README or call the scripts by passing secrets as args. The skill's own guidance recommends env vars, but the codebase does not enforce that pattern.

✓ Persistence & Privilege

The skill does not request permanent presence (always:false) and does not try to modify other skills or system-wide configuration. It merely includes helper scripts and documentation. No elevated privilege or persistent autonomous behavior is requested.

版本历史

v1.0.7

**Security update: Prevent passing credentials as CLI arguments.** - Added prominent warning not to pass credentials (API key, secret, or JWT) as command-line arguments—scripts must read these exclusively from environment variables. - Updated instructions and all script examples to reinforce the credential usage policy. - Clarified that providing credentials as script arguments is a security violation and increases exposure risk. - Adjusted documentation for greater emphasis on secure environment practices before running any scripts. - No changes to available features or functionality.

v1.0.6

- Updated credential management: now prefers environment variable injection and avoids inline CLI secrets. - Script usage streamlined—users no longer pass credentials as arguments; scripts read them from environment variables. - Improved documentation for script routing, typical workflows, and credential safety practices. - Metadata schema restructured for better clarity and automation support. - General language update: conciseness, user focus, and consistency in script instructions.

v1.0.5

**Added secure credential handling via environment variables** - Introduced required environment variables (`PINNING_API_KEY`, `PINNING_SECRET_KEY`, and optional `AIOZ_JWT_TOKEN`) for all pinning and API key operations. - Updated instructions and script usage examples to emphasize setting credentials as environment variables rather than command-line arguments. - Added security notice about preventing credential leaks via shell history and `ps` output. - Maintained existing script behaviors but improved documentation for secure usage. - No changes to code or script interfaces; documentation and metadata only.

v1.0.4

No functional changes detected. Documentation and descriptions were updated for clarity and guidance. - Updated skill description and usage instructions for clarity. - Improved separation and explanation of authentication types and required credentials. - Reorganized and expanded script usage examples with clearer parameters and defaults. - Added explicit API mapping and sample cURL commands for all major actions. - Enhanced error handling and operational flow guidance in documentation.

v1.0.3

Version 1.0.3 of aioz-pin-toolkit - No code or documentation changes detected in this release. - Functionality, usage, and skill documentation remain unchanged.

v1.0.2

Initial release with updated credential safety and improved script usage: - Renamed skill to **aioz-pin-toolkit**. - Enforces use of environment variables for credentials; avoids exposing secrets in output or command history. - Updated usage examples and script descriptions for clarity and security. - Distinguishes between API key management (JWT) and pinning/billing actions (Pinning keys). - Adds safer, more focused minimal command examples for each workflow. - Clarifies response and error handling protocols.

v1.0.1

- Initial release of the aioz-pin-toolkit skill. - Provides integrated bash scripts for managing API keys, pinning/unpinning files to IPFS, and retrieving usage or billing data for AIOZ Pin MCP Server. - Supports JWT-based authentication for key management and API key/secret for pinning/usage operations. - Includes clear error handling and step-by-step usage flows for common operations. - Designed to respond to user requests for pinning, listing, unpinning, and retrieving usage statistics.

v1.0.0

Initial release of aioz-pin-mcp-toolkit. - Provides bash script wrappers for common AIOZ Pin MCP Server API operations: API key management, file/CID pinning, usage tracking, and resource listing. - Supports two authentication flows: JWT token (for API key management) and pinning API key/secret (for pinning and usage operations). - Script routing map included for key user intents (generate/list/delete keys, pin/unpin files, check status, view usage). - Outputs helpful error handling guidance and explicitly describes script responses. - Includes example usage flows and cURL commands for all major operations.

元数据

Slug aioz-pin-toolkit

版本 1.0.7

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 8

常见问题

AIOZ Pin Toolkit 是什么？

Respond to user requests for AIOZ Pin API. Use provided scripts to manage API keys, pin files to IPFS, track usage, and more. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 114 次。

如何安装 AIOZ Pin Toolkit？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install aioz-pin-toolkit」即可一键安装，无需额外配置。

AIOZ Pin Toolkit 是免费的吗？

是的，AIOZ Pin Toolkit 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

AIOZ Pin Toolkit 支持哪些平台？

AIOZ Pin Toolkit 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 AIOZ Pin Toolkit？

由 namle-aioz（@namle-aioz）开发并维护，当前版本 v1.0.7。

AIOZ Pin Toolkit