← 返回 Skills 市场
95
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install carkey1
功能描述
车辆信息查询技能。查询车辆位置、车况(车锁、车门、车窗、空调、电源状态等)。触发词:查车、车辆位置、车况、我的车在哪。跨平台支持 Linux/macOS/Windows。
使用说明 (SKILL.md)
何时使用
- 用户查询车辆位置:"我的车在哪"、"查一下车在哪"
- 用户查询车况信息:"车锁了吗"、"车窗关了吗"、"车辆状态"
- 用户需要提供认证信息时,引导输入
vehicleToken####accessToken
快速使用
方式 1:绝对路径(推荐 Agent 使用)
# 假设技能安装在 ~/.openclaw/workspace/skills/carkey
~/.openclaw/workspace/skills/carkey/scripts/vehicle-query.sh
~/.openclaw/workspace/skills/carkey/scripts/vehicle-query.sh position
~/.openclaw/workspace/skills/carkey/scripts/vehicle-query.sh condition
方式 2:相对路径(用户手动执行)
cd carkey
./scripts/vehicle-query.sh
./scripts/vehicle-query.sh position
./scripts/vehicle-query.sh condition
认证
格式: vehicleToken####accessToken(4 个 # 分隔)
首次使用会提示输入,自动缓存。
| 系统 | 缓存路径 |
|---|---|
| Linux/macOS | ~/.carkey_cache.json |
| Windows | %USERPROFILE%/.carkey_cache.json |
状态码
| 字段 | 值含义 |
|---|---|
| power | 0=熄火, 1=ACC, 2=ON |
| gear | 1=P, 2=N, 3=D, 4=R, 5=S |
| door/window/trunk | 0=关闭, 1=开启 |
| lock | 0=解锁, 1=上锁 |
错误处理
| 场景 | 处理 |
|---|---|
| 无缓存 | 引导用户提供 token |
| Token 过期 | 提示重新认证,删除旧缓存 |
| 请求失败 | 自动重试 2 次,30 秒超时 |
| 缺少依赖 | 提示安装 curl/jq |
系统支持
| 系统 | 依赖安装 |
|---|---|
| Linux (Ubuntu/Debian) | sudo apt-get install curl jq |
| Linux (CentOS/RHEL) | sudo yum install curl jq |
| macOS | brew install curl jq |
| Windows (Git Bash) | 已包含 |
| Windows (WSL) | wsl sudo apt-get install curl jq |
文件结构
carkey/
├── SKILL.md # 本文档
├── README.md # 详细说明
├── _meta.json # 元数据
└── scripts/
└── vehicle-query.sh # 查询脚本(跨平台)
安全使用建议
This skill appears to be a vehicle-status query tool, not a remote-control tool — but the package title is misleading. Before installing: (1) confirm you trust the backend host (https://openapi.nokeeu.com) because your access token and vehicle token will be sent there; (2) be aware tokens and query history are stored in plaintext under your home directory (~/.carkey_cache.json and ~/.carkey_history.json) — delete or secure these files if you don't want persistent credentials; (3) if you need stronger guarantees, request the publisher's homepage or documentation, test with non-production/test credentials, or avoid giving real tokens until you verify the service operator.
功能分析
Type: OpenClaw Skill
Name: carkey1
Version: 1.1.2
The skill contains a shell injection vulnerability in `scripts/vehicle-query.sh` because it unsafely embeds the `vehicleToken` variable directly into a double-quoted string within a `curl` command. A maliciously crafted token containing shell subshell syntax (e.g., `$(command)`) would be executed by the shell. Additionally, the script stores sensitive authentication tokens in plaintext in the user's home directory (`~/.carkey_cache.json`). While the overall logic aligns with the stated purpose of querying a vehicle API (openapi.nokeeu.com), these security flaws represent significant risks.
能力评估
Purpose & Capability
The README/SKILL.md and script implement a vehicle information/query skill (location and condition). The package name/title implies "control" but there is no control/actuation API used — only a POST to /iot/v1/condition to fetch status. This naming mismatch is confusing and should be clarified.
Instruction Scope
Runtime instructions are limited to running the included shell script, prompting the user for a token (vehicleToken####accessToken), and caching results. The skill does not instruct reading unrelated system files or exfiltrating arbitrary host data. It does perform network calls to an external API as expected for its purpose.
Install Mechanism
There is no install spec — this is an instruction-only skill with an included shell script. Nothing in the package downloads or executes additional remote code. Risk is limited to executing the provided script locally.
Credentials
The skill asks the user for sensitive tokens (vehicleToken and accessToken) and stores them (and a query history) in plaintext files under the user's home directory (~/.carkey_cache.json and ~/.carkey_history.json). While no other credentials are requested, persisting tokens locally (and automatically sending them to an external API) is a privacy/security concern and should be justified/managed (e.g., encryption, TTL, manual deletion).
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It does create per-user cache and history files in the home directory, which is normal for CLI tools but is persistent and contains sensitive tokens.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install carkey1 - 安装完成后,直接呼叫该 Skill 的名称或使用
/carkey1触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.2
carkey v1.1.2 更新日志
- 优化了车辆信息查询技能文档,梳理了主要功能和使用场景
- 明确了认证信息格式,新增认证缓存与存储路径说明
- 增加了状态码详解及错误处理流程
- 提供了跨平台依赖安装指南与文件结构示意
- 收录常见问题及用户指令示例,提升易用性
元数据
常见问题
Control your vehicle from AI agent 是什么?
车辆信息查询技能。查询车辆位置、车况(车锁、车门、车窗、空调、电源状态等)。触发词:查车、车辆位置、车况、我的车在哪。跨平台支持 Linux/macOS/Windows。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 95 次。
如何安装 Control your vehicle from AI agent?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install carkey1」即可一键安装,无需额外配置。
Control your vehicle from AI agent 是免费的吗?
是的,Control your vehicle from AI agent 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Control your vehicle from AI agent 支持哪些平台?
Control your vehicle from AI agent 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Control your vehicle from AI agent?
由 Kuikui(@lkisme)开发并维护,当前版本 v1.1.2。
推荐 Skills