← 返回 Skills 市场

Cs Qweather Jwtgen

Name: Cs Qweather Jwtgen
Author: savior1987

作者 Chenfeng · GitHub ↗ · v1.4.0 · MIT-0

cross-platform ⚠ suspicious

136

总下载

当前安装

版本数

在 OpenClaw 中安装

/install cs-qweather-jwtgen

功能描述

和风天气 JWT Token 生成工具。当需要生成、刷新和风天气 API 的 JWT 认证 Token 时使用此 skill。

使用说明 (SKILL.md)

cs-qweather-jwtgen

和风天气 JWT Token 生成工具 — 使用 EdDSA 算法生成认证 Token。

技能职责

当需要生成或刷新和风天气 API 的 JWT 认证 Token 时使用此 skill。

Token 有效期 24 小时，过期后需要重新生成。

环境变量

变量	必填	说明
`QWEATHER_SUB`	✅	和风账户的用户标识（sub 字段）
`QWEATHER_KID`	✅	和风账户的密钥 ID（kid 字段）
`QWEATHER_API_HOST`	否	和风 API Host（生成脚本本身不需要，预警/天气脚本需要）

自动加载：脚本使用 dotenv 库自动从 ~/.openclaw/.env 加载变量（override=True，强制读取最新值避免旧进程缓存干扰），在 OpenClaw 环境下可直接使用。

文件要求

私钥文件

必须位于 ~/.myjwtkey/ed25519-private.pem，权限应为 600。

chmod 600 ~/.myjwtkey/ed25519-private.pem

Token 输出文件

生成后自动保存到 ~/.myjwtkey/last-token.dat（覆盖写入）。

其他和风天气脚本（如 cs-qweather-alert）会从此文件读取 Token。

使用方法

python3 cs-qweather-jwtgen/scripts/generateJWTtoken.py

示例输出

[22:50:53] Private key: ~/.myjwtkey/ed25519-private.pem
[22:50:53] Private key loaded (119 chars, masked)
[22:50:53] sub: 4G***ER
[22:50:53] kid: KJ***9T
[22:50:53] iat=1775746223, exp=1775830253, sub=4G***ER, kid=KJ***9T
[22:50:53] Generating JWT ...
[22:50:53] JWT generated [masked: ey***Bg]
[22:50:53] Token saved to: ~/.myjwtkey/last-token.dat

[JWT Token]
eyJhb...

日志

位置：/tmp/cslog/generateJWTtoken-YYYYMMDD.log
脱敏：sub、kid、JWT Token 均只显示前2后2位

依赖

Python 3
pyjwt：pip install pyjwt

安全使用建议

This skill's code does what it says (generates EdDSA JWTs for 和风天气) and writes the token to ~/.myjwtkey/last-token.dat, but there are a few red flags to consider before installing: - Confirm required inputs: The registry metadata lists no required env vars, but the SKILL.md and script require QWEATHER_SUB and QWEATHER_KID. Make sure you know and trust where you'll provide these values. - Inspect ~/.openclaw/.env: The script attempts to auto-load that file (dotenv with override=True). That may overwrite process env vars and can contain other secrets. Review its contents before allowing the skill to run. - Verify private key location and permissions: The script expects your Ed25519 private key at ~/.myjwtkey/ed25519-private.pem and will read it. Ensure the file is the key you intend to use and has safe permissions (the script sets token file to 600 but you should confirm the private key file is protected). - Run in an isolated environment first: If you are unsure, run the script in a test account or sandbox so you can verify behavior (no network calls are present, but it will read/write local files). - Dependency hygiene: Install pyjwt from a trusted source and avoid untrusted forks. The script optionally uses python-dotenv; if you install that, ensure it's from PyPI. If you require more assurance, ask the skill author to update registry metadata to declare QWEATHER_SUB and QWEATHER_KID as required and to document explicit file path usage, or request a signed/verified source URL and owner provenance before trusting the skill.

功能分析

Type: OpenClaw Skill Name: cs-qweather-jwtgen Version: 1.4.0 The skill is a utility for generating QWeather API JWT tokens using the EdDSA algorithm. The script `scripts/generateJWTtoken.py` reads a private key from a local path (~/.myjwtkey/ed25519-private.pem) and environment variables from a standard OpenClaw configuration file, then outputs the signed token. The code is well-documented, includes data masking for its logging functionality, and contains no evidence of network exfiltration, malicious execution, or prompt injection.

能力标签

cryptorequires-wallet

能力评估

ℹ Purpose & Capability

The code and SKILL.md match the described purpose (EdDSA JWT generation for 和风天气). However the registry metadata lists no required environment variables or credentials while SKILL.md and the script require QWEATHER_SUB and QWEATHER_KID and a local private key path; this mismatch is an integrity concern (the skill will fail or behave unexpectedly if required inputs are not provided).

✓ Instruction Scope

The runtime instructions and the script stay within the stated task: read a local private key, read environment variables, generate a JWT with pyjwt, write the token to ~/.myjwtkey/last-token.dat, and log to /tmp/cslog. The script does not attempt network calls or other unrelated data collection.

✓ Install Mechanism

No install spec; this is instruction-only with a Python script. Dependencies are minimal (pyjwt, optional python-dotenv). There is no downloading of remote archives or execution of arbitrary installers.

⚠ Credentials

The script requires QWEATHER_SUB and QWEATHER_KID but the registry metadata declared none; SKILL.md documents these but the platform-level metadata omission is an inconsistency. The script also auto-loads ~/.openclaw/.env (dotenv.load_dotenv(..., override=True)) which reads a user-specific env file and will override environment variables — this is sensitive because that file may contain other secrets. The skill reads a private key at ~/.myjwtkey/ed25519-private.pem and writes ~/.myjwtkey/last-token.dat; these file accesses are expected for the task but are not declared in the registry metadata.

✓ Persistence & Privilege

The skill does not request always:true and does not modify other skills or system-wide settings. It persists the generated token locally (~/.myjwtkey/last-token.dat) and writes logs to /tmp/cslog; this is reasonable for its function, but users should be aware of local file writes.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install cs-qweather-jwtgen
安装完成后，直接呼叫该 Skill 的名称或使用 /cs-qweather-jwtgen 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.4.0

- dotenv 加载环境变量时的 override 由 False 改为 True，确保始终读取最新值防止旧进程缓存干扰 - 文档相应更新说明 override=True，提升多进程场景下的可靠性

v1.3.0

**Added dotenv support for environment variable loading.** - Now automatically loads environment variables from `~/.openclaw/.env` using the `dotenv` library. - Existing environment variables are not overwritten (`override=False`). - Improves compatibility in OpenClaw and similar environments. - Updated documentation to reflect the new environment variable loading method.

v1.2.0

- Adds automatic environment variable loading from ~/.bashrc if not set, ensuring compatibility in non-interactive environments. - Documents the new environment variable QWEATHER_API_HOST (not required for token generation, but for related scripts). - Updates usage instructions and documentation for improved clarity.

v1.1.0

- Refreshed documentation with reorganized sections for better clarity and usability. - Expanded environment variable and file requirements details, including table formatting and permission instructions. - Added explicit token output usage and example output log for easier integration. - Clarified logging location and masking behavior for sensitive information. - Introduced _meta.json metadata file to the project.

v1.0.0

初始版本：支持生成和风天气 JWT Token，自动保存到 ~/.myjwtkey/last-token.dat

元数据

Slug cs-qweather-jwtgen

版本 1.4.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 5

常见问题