← 返回 Skills 市场

External Receiver

Name: External Receiver
Author: kriouerlia

作者 kriouerlia · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

104

总下载

当前安装

版本数

在 OpenClaw 中安装

/install external-receiver

功能描述

通用外部数据接收 Skill。在服务器上启动 HTTP 服务，接收外部文件上传和消息，自动将内容推送到 OpenClaw 用户会话。支持：文件上传、文本消息、Webhook JSON、curl / wget 客户端。

使用说明 (SKILL.md)

External Receiver

从外部接收文件 / 消息 → 推送到 OpenClaw 会话

功能

🌐 启动 HTTP 服务器（监听端口）
📁 接收文件上传（multipart/form-data）
💬 接收文本/JSON 消息
→ 自动转发到 OpenClaw 当前会话

快速使用

clawhub install external-receiver
cd skills/external-receiver
bash scripts/start.sh                    # 启动接收服务

端点

方法	路径	说明
GET	`/`	服务状态页
GET	`/health`	健康检查
POST	`/upload`	上传文件
POST	`/message`	发送文本消息
POST	`/webhook`	接收 JSON Webhook
GET	`/download/\x3Cfilename>`	下载已接收文件

API 详情

上传文件

curl -X POST http://你的服务器:8080/upload \
  -F "file=@/path/to/file.txt"

响应：

{
  "ok": true,
  "filename": "file.txt",
  "size": 12345,
  "path": "/home/user/.openclaw/workspace/received/file.txt"
}

发送文本消息

curl -X POST http://你的服务器:8080/message \
  -d "text=Hello from outside!"

或 JSON：

curl -X POST http://你的服务器:8080/webhook \
  -H "Content-Type: application/json" \
  -d '{"text": "Webhook message", "from": "external-system"}'

OpenClaw 收到推送后自动显示

📥 收到外部消息:
Hello from outside!

📎 收到文件:
file.txt (12KB)
路径: /home/user/.openclaw/workspace/received/file.txt

配置

# 环境变量
export RECEIVER_PORT=8080                    # 监听端口（默认 8080）
export RECEIVER_HOST=0.0.0.0               # 监听地址（默认 0.0.0.0）
export RECEIVER_DIR=/home/user/received     # 文件存储目录
export RECEIVER_SECRET=your_secret_key      # 访问密钥（可选）

安全建议

✅ 生产环境务必设置 RECEIVER_SECRET 并在请求时附带
✅ 使用防火墙限制只开放 8080 端口给信任的 IP
✅ 定期清理 received/ 目录中的文件

Python 调用示例

import requests

# 发送消息
requests.post("http://服务器:8080/message", data={"text": "警报：价格突破"})

# 上传文件
with open("report.pdf", "rb") as f:
    requests.post("http://服务器:8080/upload", files={"file": f})

# Webhook 方式
requests.post("http://服务器:8080/webhook", json={
    "event": "trade",
    "symbol": "BTC/USDT",
    "side": "buy",
    "amount": 0.01
})

安全使用建议

This skill implements an HTTP file/message receiver, which is plausible for its description, but there are several red flags to consider before installing: - Undeclared local config access: receiver_server.py reads ~/.openclaw/openclaw.json to extract a gateway auth token and may attempt a WebSocket connection using that token. This access to a local config/secrets file is not declared in the skill metadata. Inspect ~/.openclaw/openclaw.json to see what secrets it contains before running the skill. - Undeclared persistent files: the skill writes notifications to ~/.openclaw/workspace/received/message_queue.jsonl and creates a received directory; these persistence locations are not listed in the registry metadata. If you want uploads stored elsewhere, set RECEIVER_DIR and confirm the server actually uses that path. - Documentation / code mismatch: SKILL.md shows responses and default storage paths under ~/.openclaw/workspace/received, but the server's default RECEIVER_DIR (when not set) is skill-relative (../received). Confirm the actual storage location and update env vars accordingly. - Network exposure: default host is 0.0.0.0 and default port 8080. If you run this on a publicly reachable host, require RECEIVER_SECRET and use firewall rules or a reverse proxy with TLS. The start script runs the server directly; consider running it inside a sandboxed container or private network. - File handling: uploaded files are saved as-is (basename + timestamp) with no content inspection — avoid running or exposing uploaded files. Regularly clean the received directory and restrict who can POST to the endpoint. Recommendations before use: 1) Review ~/.openclaw/openclaw.json contents and confirm you're comfortable the skill reading it and using any token inside. 2) Set RECEIVER_SECRET and firewall rules before exposing the server. 3) Set RECEIVER_DIR to a controlled location and verify the code writes there. 4) Run in an isolated environment (container/VM) if you don't trust the origin. 5) Ask the skill author to declare the config paths and token usage in registry metadata and to fix the documentation/code path inconsistencies. Given these undeclared accesses and inconsistencies, proceed only after addressing or accepting these risks.

功能分析

Type: OpenClaw Skill Name: external-receiver Version: 1.0.0 The skill implements an HTTP server (`receiver_server.py`) designed to receive files and messages from external sources and inject them into the OpenClaw agent's workspace and session. It is classified as suspicious because it introduces a significant attack surface by defaulting to listen on all network interfaces (`0.0.0.0`) and making authentication (`RECEIVER_SECRET`) optional, which could allow unauthorized remote actors to write files to the local filesystem or perform prompt injection via the message queue.

能力评估

ℹ Purpose & Capability

The stated purpose (start an HTTP server to receive files/messages and push them into an OpenClaw session) matches the code: receiver_server.py implements /upload, /message, /webhook and writes notifications. However the skill also attempts to read OpenClaw gateway configuration (~/ .openclaw/openclaw.json) to obtain an auth token and connect to a local WebSocket — this access to local gateway credentials is not declared in the metadata and is not explicitly mentioned in SKILL.md (the doc only hints at WebSocket attempts).

⚠ Instruction Scope

SKILL.md instructs the user to run scripts/start.sh which runs receiver_server.py. The runtime instructions and code will: (1) accept arbitrary uploads and save them to RECEIVER_DIR, (2) write notifications into ~/.openclaw/workspace/received/message_queue.jsonl for the agent to read, and (3) read ~/.openclaw/openclaw.json to extract a gateway token and attempt a local WebSocket push. The code reads/writes files under the user's home directory that were not declared in requires.config, and the SKILL.md examples/documented paths are inconsistent with the code (the docs show paths under ~/.openclaw/workspace/received but the server's default RECEIVER_DIR is a skill-relative ../received).

✓ Install Mechanism

There is no external download/install step and no remote code fetched at install time. The skill ships 3 script/code files and a start script; running the start script executes local Python code. No untrusted network installs are present in the manifest.

⚠ Credentials

No required environment variables are declared, but the code will respect optional RECEIVER_* env vars and will (without explicit metadata) access ~/.openclaw/openclaw.json to read a 'gateway'->'auth'->'token'. That means the skill can read a local configuration file that may contain sensitive tokens even though 'required config paths' or any credential access are not declared. The code also writes to ~/.openclaw/workspace/received/message_queue.jsonl (queue file) — this persistent file location is not declared in metadata either.

ℹ Persistence & Privilege

The skill does not request 'always: true' and does not modify other skills, but it creates persistent files/directories under the user's home (~/.openclaw/workspace/received and a received directory), and will remain listening (network server) while run. It also tries to use a gateway websocket for immediate push if local config/token is present. These behaviors are expected for a receiver but are persistent and network-exposed by default (0.0.0.0:8080) unless the user changes env/config.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install external-receiver
安装完成后，直接呼叫该 Skill 的名称或使用 /external-receiver 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

v1.0.0: HTTP服务接收外部文件/消息，支持Webhook/文件上传，自动推送到OpenClaw会话，文件存储+队列机制

元数据

Slug external-receiver

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题