← 返回 Skills 市场
338
总下载
1
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install cpa-update
功能描述
安全更新和维护 CLI Proxy API(CPA)部署与配置。用于 CPA 镜像升级、配置变更、认证目录兼容修复、上线验证与回滚。适用于用户提到“CPA 更新/升级/配置改了/容器重建/回滚”等场景。
使用说明 (SKILL.md)
CPA Update(v2.2.1)
目标
在不丢配置、不丢认证、可快速回滚的前提下,完成 CLI Proxy API 更新或配置迁移。
官方资源
- Docker Hub:
eceasy/cli-proxy-api - GitHub: router-for-me/Cli-Proxy-API
- 最新版本查询:
docker pull eceasy/cli-proxy-api:latest或查看 Docker Hub tags
强制安全规则
- 任何修改前先确认用户同意(尤其是重启/替换生产容器)。
- 任何修改前先备份(镜像 + 配置 + auth 目录)。
- 先测试再切生产。
- 保留可执行回滚路径。
0) 先做现网发现(禁止硬编码)
不要假设固定容器名、镜像名、版本号、端口。
# 找 CPA 容器
docker ps --format 'table {{.Names}} {{.Image}} {{.Status}}'
# 查看当前版本信息(注意:某些版本会输出版本后返回非0)
docker exec \x3CCONTAINER_NAME> ./CLIProxyAPI --version || true
# 假设配置路径为 /opt/cliproxyapi/config.yaml,读取关键项
sed -n '1,220p' /opt/cliproxyapi/config.yaml
# 快速定位当前启用的 provider 段
grep -n -- "-api-key:" /opt/cliproxyapi/config.yaml
# 检查官方最新版本
docker pull eceasy/cli-proxy-api:latest
记录以下基线(用于变更对比):
- 容器名、镜像名、映射端口
- 当前版本号(通过
./CLIProxyAPI --version获取) auth-dirremote-management.allow-remote- 当前使用的 provider 段(如
gemini-api-key、claude-api-key、codex-api-key、xai-api-key等)
1) 备份(必须)
mkdir -p /opt/cliproxyapi/backup /opt/cliproxyapi/backups
TS=$(date +%Y%m%d-%H%M%S)
# 备份镜像(将 \x3CIMAGE> 替换为当前生产镜像)
docker save \x3CIMAGE> > /opt/cliproxyapi/backup/cliproxyapi-image-${TS}.tar
# 备份配置
cp /opt/cliproxyapi/config.yaml /opt/cliproxyapi/backup/config-${TS}.yaml
# 备份认证目录
cp -a /opt/cliproxyapi/auth /opt/cliproxyapi/backup/auth-${TS}
# 保存现网基线信息
HOST_PORT=$(docker inspect \x3CCONTAINER_NAME> --format '{{(index (index .NetworkSettings.Ports "8317/tcp") 0).HostPort}}' 2>/dev/null || echo "unknown")
VERSION_RAW=$(docker exec \x3CCONTAINER_NAME> ./CLIProxyAPI --version 2>&1 || true)
VERSION_LINE=$(printf '%s\
' "$VERSION_RAW" | grep -m1 'CLIProxyAPI Version' || echo "$VERSION_RAW")
cat > /opt/cliproxyapi/backups/baseline-${TS}.md \x3C\x3C EOF
# Baseline ${TS}
Container: \x3CCONTAINER_NAME>
Image: \x3CIMAGE>
Version: ${VERSION_LINE}
Port: ${HOST_PORT}
Auth Dir: /opt/cliproxyapi/auth
Config: /opt/cliproxyapi/config.yaml
EOF
2) 判断更新类型
A. 仅配置变更(推荐优先)
适用于:新增/修改 provider、模型路由、管理参数、重试策略等。
流程:
- 编辑
config.yaml - 校验 YAML 格式(建议)
- 重启容器并验证
# 2A-1 重启
docker restart \x3CCONTAINER_NAME>
# 2A-2 健康检查
curl -s http://127.0.0.1:8317/v1/models -H "Authorization: Bearer \x3CAPI_KEY>" | head
B. 镜像升级(涉及容器替换)
适用于:官方发布新版本或需要修复基础镜像问题。
官方镜像地址: eceasy/cli-proxy-api:latest
**兼容修复要点:**确保容器内存在 auth 目录并可写(常见问题是 /root/.cli-proxy-api 权限/挂载冲突)。
直接使用官方镜像(推荐):
# 拉取最新官方镜像
docker pull eceasy/cli-proxy-api:latest
# 测试容器(使用测试端口 8318)
docker run -d --name cliproxyapi-test \
-p 8318:8317 \
-v /opt/cliproxyapi/config.yaml:/CLIProxyAPI/config.yaml \
-v /opt/cliproxyapi/auth:/root/.cli-proxy-api \
--restart unless-stopped \
eceasy/cli-proxy-api:latest
# 等待启动(约 5-10 秒)
sleep 10
# 健康检查
curl -s http://127.0.0.1:8318/v1/models -H "Authorization: Bearer \x3CAPI_KEY>" | head
# 检查日志
docker logs --tail 50 cliproxyapi-test
# 验证成功后停止测试容器
docker stop cliproxyapi-test && docker rm cliproxyapi-test
自定义镜像构建(如需特殊配置):
FROM eceasy/cli-proxy-api:latest
ENV TZ=Asia/Shanghai
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
RUN mkdir -p /root/.cli-proxy-api && chmod 755 /root/.cli-proxy-api
WORKDIR /CLIProxyAPI
EXPOSE 8317
CMD ["./CLIProxyAPI"]
3) 生产发布(需用户确认)
# 停止并删除当前容器
docker stop \x3CCONTAINER_NAME>
docker rm \x3CCONTAINER_NAME>
# 使用官方最新镜像启动生产容器
docker run -d \
--name \x3CCONTAINER_NAME> \
-p 8317:8317 \
-v /opt/cliproxyapi/config.yaml:/CLIProxyAPI/config.yaml \
-v /opt/cliproxyapi/auth:/root/.cli-proxy-api \
--restart unless-stopped \
eceasy/cli-proxy-api:latest
4) 发布后验收清单
/v1/models可返回完整模型列表- 随机抽测至少 1 个关键模型(如
gpt/claude/gemini/xai) - 日志无持续报错(auth、401、timeout、panic)
- 管理接口(若启用)可访问且权限正确
- 版本信息确认:
docker exec \x3CCONTAINER_NAME> ./CLIProxyAPI --version
5) 回滚(必须可用)
# 停新容器
docker stop \x3CCONTAINER_NAME> && docker rm \x3CCONTAINER_NAME>
# 恢复旧镜像
docker load \x3C /opt/cliproxyapi/backup/cliproxyapi-image-\x3CTS>.tar
# 用旧镜像重启
docker run -d \
--name \x3CCONTAINER_NAME> \
-p 8317:8317 \
-v /opt/cliproxyapi/config.yaml:/CLIProxyAPI/config.yaml \
-v /opt/cliproxyapi/auth:/root/.cli-proxy-api \
--restart unless-stopped \
\x3COLD_IMAGE>
6) 更新成功后归档与清理(需用户确认)
目标:保持
/opt/cliproxyapi干净可读;不删除在线配置与认证目录;保留回滚能力。
默认原则(推荐)
- 永远保留在线目录:
/opt/cliproxyapi/config.yaml/opt/cliproxyapi/auth/
- 每次升级成功后,把历史备份移动到时间戳归档目录:
/opt/cliproxyapi/archive/\x3CYYYYmmdd-HHMM>/
- 保留策略:
archive/保留最近 2 次升级归档backup/仅保留“当前升级批次”产物(可为空)- 至少保留 1 份可用回滚镜像(tar 或已打 tag 的本地镜像)
- 仅归档/删除“历史备份”,不动生产容器和在线挂载。
归档命令模板(先归档,不直接删除)
set -euo pipefail
TS=$(date +%Y%m%d-%H%M)
ARCHIVE_DIR="/opt/cliproxyapi/archive/${TS}"
mkdir -p "$ARCHIVE_DIR"
# 记录归档前快照
find /opt/cliproxyapi -maxdepth 2 -mindepth 1 | sort > "$ARCHIVE_DIR/PRE_ARCHIVE_SNAPSHOT.txt"
# 移动历史备份(仅示例,可按实际目录调整)
shopt -s nullglob
for f in \
/opt/cliproxyapi/backup/auth-* \
/opt/cliproxyapi/backup/config-*.yaml \
/opt/cliproxyapi/backup/*.tar \
/opt/cliproxyapi/config.yaml.backup.*
do
[ -e "$f" ] && mv "$f" "$ARCHIVE_DIR/"
done
# 写归档说明
cat > "$ARCHIVE_DIR/README.md" \x3C\x3CEOF
# CPA Archive ${TS}
归档时间:$(date '+%Y-%m-%d %H:%M:%S %Z')
在线目录(未修改):
- /opt/cliproxyapi/config.yaml
- /opt/cliproxyapi/auth/
本次归档用于保留历史备份,便于审计与回滚追溯。
EOF
可选清理(确认后执行)
# 仅清理 dangling 镜像层(安全)
docker image prune -f
# 如需删除旧测试容器(示例)
docker rm -f cliproxyapi-test || true
归档后复检(必须)
docker ps --format 'table {{.Names}} {{.Status}} {{.Ports}}'
curl -s http://127.0.0.1:8317/v1/models -H "Authorization: Bearer \x3CAPI_KEY>" | head
常见故障排查
- 容器循环重启:优先看 auth 目录挂载与权限。
- 模型列表缺失:检查 provider 段和 API key 是否生效。
- 请求 401/403:检查调用 key 与 upstream key 是否混淆。
- 管理接口异常:检查
remote-management.secret-key与allow-remote。 - 版本升级后功能异常:检查新版本是否有 breaking changes,参考官方 changelog。
维护建议
- 定期检查更新:每月检查一次官方镜像是否有新版本
- 基线文档化:把“现网基线”单独保存为
/opt/cliproxyapi/backups/baseline-\x3Cdate>.md - 测试先行:任何变更都先在测试端口验证
- 版本记录:在配置文件注释中记录当前使用的镜像版本和更新日期
版本升级最佳实践
- 小步快跑:不要跳过多版本升级,逐版本验证
- 关注 changelog:升级前查看官方 release notes
- 备份验证:确保备份文件可以正常恢复
- 监控告警:升级后密切监控日志和错误率
安全使用建议
This skill's documented workflow appears reasonable for upgrading a Docker-hosted CPA, but be aware of two issues before installing or running it: (1) The manifest omits required tools and paths — you will need docker, curl, sed/grep, tar and access to the Docker daemon and the host paths (e.g., /opt/cliproxyapi). (2) The instructions operate on sensitive auth/config directories and perform image save/load and container run/remove actions; run them only with explicit operator oversight and on a trusted host. If you lack comfort or need auditing, run the listed commands manually (or in a controlled test environment) rather than allowing automated execution, verify the official image sources before pulling, and ensure backups are stored in a secure location off the production host.
功能分析
Type: OpenClaw Skill
Name: cpa-update
Version: 2.2.1
The skill provides a workflow for updating the CLI Proxy API (CPA) using Docker, which is a legitimate administrative purpose. However, it is classified as suspicious because the SKILL.md instructions explicitly direct the AI agent to read and output sensitive data, including API keys and authentication tokens, from '/opt/cliproxyapi/config.yaml' and the '/auth' directory using 'sed' and 'grep'. This behavior creates a significant risk of exposing credentials in the agent's session history or logs. Additionally, the skill performs high-privilege operations such as Docker container replacement and filesystem modifications without sufficient input sanitization for the placeholders used in shell commands.
能力评估
Purpose & Capability
The name/description and the instructions are coherent: SKILL.md provides a step-by-step Docker-based workflow for backing up, testing, upgrading, and rolling back a CLI Proxy API. However the metadata claims no required binaries or config paths while the instructions clearly require Docker, docker CLI operations (run/exec/pull/save/load), and common shell tools (cp, mv, sed, grep, curl, tar). This mismatch between declared requirements and actual operational needs is an incoherence the user should be aware of.
Instruction Scope
Instructions explicitly read and copy host files (e.g., /opt/cliproxyapi/config.yaml and /opt/cliproxyapi/auth), run commands inside containers, pull images from Docker Hub, and create/restore local tar archives of images. Those actions are expected for an update/rollback workflow, but they require broad local filesystem and Docker privileges. The SKILL.md does not instruct sending these artifacts to external endpoints, but it does reference API keys (placeholders) and suggests copying auth directories — which are sensitive and must be handled carefully.
Install Mechanism
This is an instruction-only skill with no install spec and no bundled code, so there is no automatic download or execution of remote code from the skill itself. That lowers supply-chain risk relative to code-installing skills.
Credentials
Metadata lists no required environment variables or config paths, yet the runtime instructions assume the presence of API keys/providers and specific host paths (/opt/cliproxyapi and the container's /root/.cli-proxy-api). The skill implicitly requires access to the Docker daemon (and thus elevated privileges) and to local auth/config directories containing sensitive credentials, but these privileges/requirements are not declared in the manifest.
Persistence & Privilege
The skill is not always-enabled and does not request persistent/privileged platform features. It only contains runtime instructions; there is no installation step that modifies other skills or the agent configuration.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install cpa-update - 安装完成后,直接呼叫该 Skill 的名称或使用
/cpa-update触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.2.1
Known Issues with Official CPA Container
Practical use reveals these common problems:
• Incorrect /root/.cli-proxy-api directory permissions, preventing OAuth file writes.
• Read-only config mounts, blocking WebUI modifications.
• Upgrade risks from format or structure changes between versions, risking data loss.
• No safe update procedure, forcing manual backup, test, and rollback steps.
Solutions Provided by This Skill
✅ Fixes auth directory permissions automatically.
✅ Ensures writable config mounts for the WebUI.
✅ Standardizes the safe workflow: Backup → Test → Deploy → Rollback.
✅ Automates baseline checks and version verification.
元数据
常见问题
CPA Update - Secure CLI Proxy API Maintenance 是什么?
安全更新和维护 CLI Proxy API(CPA)部署与配置。用于 CPA 镜像升级、配置变更、认证目录兼容修复、上线验证与回滚。适用于用户提到“CPA 更新/升级/配置改了/容器重建/回滚”等场景。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 338 次。
如何安装 CPA Update - Secure CLI Proxy API Maintenance?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install cpa-update」即可一键安装,无需额外配置。
CPA Update - Secure CLI Proxy API Maintenance 是免费的吗?
是的,CPA Update - Secure CLI Proxy API Maintenance 完全免费(开源免费),可自由下载、安装和使用。
CPA Update - Secure CLI Proxy API Maintenance 支持哪些平台?
CPA Update - Secure CLI Proxy API Maintenance 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 CPA Update - Secure CLI Proxy API Maintenance?
由 JOJO587(@jojo587)开发并维护,当前版本 v2.2.1。
推荐 Skills