← 返回 Skills 市场

Clawket

Name: Clawket
Author: p697

作者 Cavano · GitHub ↗ · v1.0.1

cross-platform ⚠ suspicious

429

总下载

当前安装

版本数

在 OpenClaw 中安装

/install clawket

功能描述

Generate QR codes for Clawket mobile app to pair with the local OpenClaw Gateway. Use when user mentions: Clawket pairing, login Clawket, QR code, mobile app...

使用说明 (SKILL.md)

Clawket Gateway QR Code

Generate a QR code that the Clawket mobile app can scan to auto-configure Gateway connection (URL + auth token).

Generate QR Code

Run the script:

bash SKILL_DIR/scripts/gateway-qr.sh

The script will:

Read ~/.openclaw/openclaw.json for the auth token
Detect the local LAN IP address
Generate a QR code as a PNG image at ~/.openclaw/media/clawket-qr.png
Also print an ASCII QR code to the terminal

Send the PNG to the user via the message tool (filePath: ~/.openclaw/media/clawket-qr.png).

QR Payload Format

The QR code contains a JSON object:

{
  "host": "192.168.1.100",
  "port": 18789,
  "token": "...",
  "tls": false
}

The Clawket app scans this and auto-fills Gateway URL + auth token, then connects.

Troubleshooting

If qrencode is not installed: brew install qrencode (macOS) / sudo apt install qrencode (Linux) / choco install qrencode (Windows)
If the LAN IP detection fails, the script falls back to 127.0.0.1
The token is read directly from the JSON config file (not via openclaw config get which redacts it)

安全使用建议

This skill appears to do exactly what it says, but it will read your local OpenClaw auth token and embed it in a QR image (and print it to the terminal). Before installing/using it: 1) Confirm you want the token exported into ~/.openclaw/media/clawket-qr.png and possibly transmitted via chat/message; 2) Run the script locally yourself rather than giving a remote agent permission to run it, if you prefer tighter control; 3) Share the resulting QR only with the intended device/user and consider deleting the PNG afterward; 4) If the token is sensitive, consider rotating/revoking it after pairing or using an ephemeral pairing token if available; 5) If you plan to let the agent send the PNG on your behalf, understand that message logs or the agent's channels could store the token — only proceed if you trust the destination.

功能分析

Type: OpenClaw Skill Name: clawket Version: 1.0.1 The skill is classified as suspicious due to its direct handling and exposure of a sensitive authentication token. The `scripts/gateway-qr.sh` script explicitly reads the raw `gateway.auth.token` from `~/.openclaw/openclaw.json` using `python3 -c`. This token is then embedded into a QR code payload and saved as a PNG file (`~/.openclaw/media/clawket-qr.png`). The `SKILL.md` instructions then direct the AI agent to send this PNG file to the user. While the stated purpose is legitimate (mobile app pairing), the direct access and transmission of an unredacted authentication token represents a significant security risk, as it could be intercepted or misused if the user's environment or the agent's output channel is compromised. There is no evidence of intentional malicious exfiltration to an unauthorized third party, but the capability is high-risk.

能力评估

✓ Purpose & Capability

Name/description state: generate QR for Clawket pairing. The script reads ~/.openclaw/openclaw.json to extract gateway auth token and port, detects LAN IP, and produces a PNG + ASCII QR. These actions are expected and proportionate to the stated purpose.

ℹ Instruction Scope

SKILL.md instructs running the provided script which explicitly reads the raw auth token from ~/.openclaw/openclaw.json (bypassing any redaction) and instructs the agent to send the generated PNG via the message tool. This is necessary for pairing but means a secret token will be written to disk, printed to stdout, and potentially transmitted — the instructions do not require or instruct redaction.

✓ Install Mechanism

No external install/unpack occurs; the skill is instruction-only plus a local script. It depends on qrencode (standard package) and provides sensible installation hints. No downloads from untrusted URLs or archive extraction are present.

ℹ Credentials

No environment variables or unrelated credentials are requested. The script reads a local config file to retrieve a gateway auth token — this is expected for the task but is sensitive. The token is embedded in the QR and printed unredacted.

✓ Persistence & Privilege

always:false and no modifications to other skills or system-wide settings. The script writes output to ~/.openclaw/media (a local app directory), which is appropriate for its purpose and does not request elevated privileges.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install clawket
安装完成后，直接呼叫该 Skill 的名称或使用 /clawket 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.1

Add login/pairing keywords to description

v1.0.0

Initial release: QR code pairing for Clawket mobile app

元数据

Slug clawket

版本 1.0.1

许可证 —

累计安装 0

当前安装数 0

历史版本数 2

常见问题

Clawket 是什么？

Generate QR codes for Clawket mobile app to pair with the local OpenClaw Gateway. Use when user mentions: Clawket pairing, login Clawket, QR code, mobile app... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 429 次。

如何安装 Clawket？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install clawket」即可一键安装，无需额外配置。

Clawket 是免费的吗？

是的，Clawket 完全免费（开源免费），可自由下载、安装和使用。

Clawket 支持哪些平台？

Clawket 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Clawket？

由 Cavano（@p697）开发并维护，当前版本 v1.0.1。