← 返回 Skills 市场
379
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install keyswap
功能描述
Rotate Claude Max API token for OpenClaw Anthropic profiles. Use when the user says "swap key", "rotate key", "new key", "keyswap", or provides a new `sk-ant...
使用说明 (SKILL.md)
Key Rotation
Rotate the Claude Max API token for both Anthropic profiles (anthropic:jawadjarvis and anthropic:manual) in OpenClaw.
Instructions
- If the user has not provided a token, ask for one. It must start with
sk-ant-. - Run the rotation script:
bash /opt/homebrew/lib/node_modules/openclaw/skills/keyswap/scripts/keyswap.sh \x3Ctoken>
- Report the result to the user. On success, confirm both profiles were updated and the gateway restarted. On failure, show the error output.
安全使用建议
This skill appears to be what it claims: it asks the user for a new sk-ant- token, updates your OpenClaw Anthropic profiles file, and restarts the gateway. Before running it, ensure: 1) you trust the token you will provide, 2) you have a backup of $HOME/.openclaw/agents/main/agent/auth-profiles.json (the script overwrites it), 3) jq is installed and the OpenClaw CLI/LaunchAgent exist on your system (the SKILL.md assumes a macOS/Homebrew path and uses launchctl), and 4) you are comfortable that usageStats and failureCounts for those profiles will be reset (the script clears historic failure data). If your OpenClaw installation path differs, run the bundled script from its actual location or copy it into place rather than blindly running the exact /opt/homebrew/... command.
功能分析
Type: OpenClaw Skill
Name: keyswap
Version: 1.0.0
The `SKILL.md` file instructs the OpenClaw agent to execute a `bash` script (`scripts/keyswap.sh`) with a user-provided token. This direct embedding of user input into a shell command creates a significant shell injection vulnerability, as an attacker could append arbitrary commands (e.g., `sk-ant-foo; rm -rf /`) that would be executed by the agent after the `keyswap.sh` script completes. Although the `keyswap.sh` script attempts to mitigate injection within its `jq` command using `--arg`, this does not protect against commands executed *outside* the script's scope by the agent's initial command parsing. There is no evidence of intentional malicious behavior like data exfiltration or backdoors within the skill's code or instructions, but the vulnerability is critical.
能力评估
Purpose & Capability
Name and description match the actual behavior: the script updates the Anthropic profile tokens in the OpenClaw auth file. No unrelated credentials or services are requested. The skill assumes OpenClaw stores profiles at $HOME/.openclaw/agents/main/agent/auth-profiles.json and will update two profiles; this is coherent with 'rotate key' functionality. Note: the SKILL.md references an absolute install path (/opt/homebrew/...) which assumes a specific installation layout (macOS/Homebrew/npm global), but that is an implementation detail rather than a mismatch of purpose.
Instruction Scope
Instructions are narrowly scoped: ask user for a token (must start with sk-ant-), run the included script, and report results. The script reads and overwrites the local auth-profiles.json, resets usageStats for the specified profiles, and restarts the OpenClaw gateway. This stays within the stated purpose, but the instructions do not mention prerequisites (jq, correct file path, permissions) or error-recovery (backup of auth file). Also the script resets usageStats and deletes failureCounts — this is functional but could remove historical failure data, which users may want to be aware of.
Install Mechanism
No install spec is present (instruction-only plus bundled script), so nothing is downloaded or installed by the skill. The script is bundled in the package. The SKILL.md directs running the script from a fixed /opt/homebrew/... path; if the user's installation location differs the provided command may fail. No external downloads or obscure URLs are used.
Credentials
The skill requests no environment variables and no external credentials. It does modify the local OpenClaw auth file (which contains API tokens) — that is exactly what key rotation requires. There is no attempt to transmit tokens externally. Users should note the script runs as the invoking user and will overwrite the auth-profiles.json in that user's home directory.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It modifies OpenClaw's own auth file and restarts the OpenClaw gateway (via launchctl), which is appropriate for rotating an active key. The script does not alter other skills' configs or system-wide settings beyond restarting the gateway for the current user. Note: restart uses macOS-specific launchctl invocation and may fail or be inappropriate on non-macOS systems.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install keyswap - 安装完成后,直接呼叫该 Skill 的名称或使用
/keyswap触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of the keyswap skill.
- Enables rotation of Claude Max API tokens for OpenClaw Anthropic profiles.
- Responds to user requests such as "swap key" or when a new `sk-ant-` token is provided.
- Guides users to supply a valid token if not already provided.
- Automates execution of a shell script to update both profiles and restart the gateway.
- Confirms success or reports error details based on script output.
元数据
常见问题
Key Swap 是什么?
Rotate Claude Max API token for OpenClaw Anthropic profiles. Use when the user says "swap key", "rotate key", "new key", "keyswap", or provides a new `sk-ant... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 379 次。
如何安装 Key Swap?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install keyswap」即可一键安装,无需额外配置。
Key Swap 是免费的吗?
是的,Key Swap 完全免费(开源免费),可自由下载、安装和使用。
Key Swap 支持哪些平台?
Key Swap 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Key Swap?
由 jawaddxb(@jawaddxb)开发并维护,当前版本 v1.0.0。
推荐 Skills