← 返回 Skills 市场

Gateway Validator

Name: Gateway Validator
Author: loopintoai

作者 loopintoai · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

336

总下载

当前安装

版本数

在 OpenClaw 中安装

/install gateway-validator

功能描述

Validate OpenClaw gateway configuration changes before applying them to production. Use when the user wants to change models, API keys, providers, or any gat...

使用说明 (SKILL.md)

Gateway Validator

Safely validate gateway config changes before they break production.

How It Works

Primary approach:

Create temp config with your changes
Start isolated test gateway on different port
Send test completion request
Works? → Apply to production
Fails? → Block and show error

Fallback approach (when isolated gateway can't start):

Validate config syntax
Test provider APIs directly (check API keys, models)
Works? → Apply to production
Fails? → Block and show error

Usage

I'll automatically use this when you request gateway changes:

"Change model to gpt-4o"
"Update API key"
"Switch to anthropic"
Any config modification

Examples

Bad API Key

You: "Set API key to fake-key"
Me: "🧪 Testing changes...
     ❌ API key is invalid
     Config unchanged."

Bad Model

You: "Use model gpt-99"
Me: "🧪 Testing changes...
     ❌ Model not found
     Config unchanged."

Valid Change

You: "Change temperature to 0.5"
Me: "🧪 Testing changes...
     ✅ Test passed
     ✅ Config updated"

Technical Details

Level 1: Config Syntax

YAML valid?
Required fields present?
Value ranges valid (temp 0-2, etc.)?

Level 2: Provider Test (direct API calls)

API key valid?
Model exists?
Can connect to provider?

Level 3: Full Gateway Test (when possible)

Start temp gateway
Send completion request
Verify end-to-end works

Limitations

Isolated gateway test requires systemd/launchd (not available in all containers)
When isolated test unavailable, falls back to provider-level validation
Provider testing needs ~5-10 seconds for API calls

安全使用建议

This skill appears to do what it says, but it touches sensitive areas: - It reads your OpenClaw config (from ~/.openclaw and /etc), so provider API keys stored there will be read and sent to the provider endpoints to validate credentials — this is required for validation but is sensitive. - It can overwrite the production config and restart the gateway (apply_change.py). Confirm whether you (or your agent) want automated apply+restart behavior; prefer a manual confirmation step before applying changes. - The temporary gateway start/port detection is imperfect in the scripts; consider running the validation in a safe staging environment first. Recommendations before installing/using: 1) Review your config file contents for secrets you don't want transmitted. If you prefer, remove or mask non-essential keys before running validation. 2) Run provider validation (scripts/test_provider.py or scripts/validate_config.py) manually to observe behavior before enabling autonomous agent-run operations. 3) Ensure backups are accessible (apply_change.py creates backups under the config directory) and that you have a rollback plan. 4) Restrict the agent so it asks for explicit confirmation before running apply_change.py or performing restarts. If you want, I can extract the exact commands the skill would run for a dry-run and suggest a safer invocation policy (e.g., validation-only mode without auto-apply).

功能分析

Type: OpenClaw Skill Name: gateway-validator Version: 1.0.0 The bundle provides a suite of tools for managing OpenClaw gateway configurations, including scripts for syntax validation, API key testing, and service management. It is classified as suspicious due to its high-risk capabilities: the ability to read and overwrite production configuration files containing sensitive credentials (scripts/apply_change.py) and the use of subprocesses to execute system commands (scripts/test_gateway.py). While these actions are aligned with the stated goal of safely updating gateway settings, they represent a significant attack surface that could be exploited to modify system behavior or access sensitive API keys if the AI agent is compromised via prompt injection.

能力评估

✓ Purpose & Capability

The name/description match what the files implement: reading OpenClaw config, validating syntax, testing providers via their HTTP APIs, optionally starting a temp gateway, and applying validated config to production. Required actions (reading ~/.openclaw and /etc config, calling provider endpoints, invoking the 'openclaw' binary, backing up and writing config files) are expected for this purpose.

ℹ Instruction Scope

SKILL.md promises automatic validation and the scripts implement the three validation levels. The scripts will read config files (home and /etc), perform network requests to provider endpoints using API keys found in the config, may start processes (openclaw gateway), and can apply changes to production. All of these are within scope, but they involve transmitting sensitive API keys and performing production changes — the README's claim to 'automatically use this when you request gateway changes' means the agent could run these operations without further manual checks unless the agent is constrained.

✓ Install Mechanism

No install spec; this is instruction+script-only. No external downloads or package installs are declared. The code uses standard Python stdlib and attempts to import PyYAML if available; lack of install spec means nothing is written to disk by an installer beyond whatever the agent runtime does when executing the included scripts.

ℹ Credentials

The skill doesn't request environment variables or external credentials directly, but it reads provider API keys from the OpenClaw config files (e.g., ~/.openclaw/config.yaml or /etc/openclaw/*). Sending those API keys to provider endpoints is necessary for validation, but is sensitive. The scripts do not request unrelated credentials; they do expect read/write access to config paths and ability to execute the 'openclaw' binary.

⚠ Persistence & Privilege

The skill includes apply_change.py which will overwrite the production config file (after creating a backup) and attempt to restart the gateway via 'openclaw gateway restart'. While this is coherent with the stated purpose, it's a high-impact operation: if the agent invokes apply_change without explicit user confirmation the production gateway could be changed or restarted unexpectedly. The skill is not 'always: true', but the SKILL.md says it will be used 'automatically' when the user requests gateway changes — make sure the agent prompts the user before performing apply/change actions.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install gateway-validator
安装完成后，直接呼叫该 Skill 的名称或使用 /gateway-validator 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release: Validate OpenClaw gateway configuration changes before applying them to production.

元数据

Slug gateway-validator

版本 1.0.0

许可证 MIT-0

累计安装 1

当前安装数 1

历史版本数 1

常见问题