← 返回 Skills 市场
181
总下载
0
收藏
0
当前安装
6
版本数
在 OpenClaw 中安装
/install metersphere
功能描述
本项目将 MeterSphere REST API 与本地脚本能力整合,为 OpenClaw Agent 提供了一套高效、可复用的 Skills,支持自动生成功能用例、接口定义及接口用例,查询组织、项目、模块、用例评审与缺陷关联等信息,简化了测试资产管理流程,提升了团队的自动化效率。
安全使用建议
Before installing or running this skill: 1) Treat the registry metadata mismatch as a red flag — inspect skill-metadata.json and SKILL.md in the package to confirm which env vars and binaries it actually needs. 2) Run everything first in an isolated sandbox (non-production MeterSphere instance) and monitor outbound traffic to confirm requests only go to your configured METERSPHERE_BASE_URL. 3) Use least-privilege API keys: prefer read-only keys for queries and separate limited keys for write/create operations; rotate keys after testing. 4) Set METERSPHERE_DEFAULT_TEMPLATE_ID, METERSPHERE_DEFAULT_VERSION_ID and METERSPHERE_PROJECT_ID to avoid the hardcoded fallback values. 5) Do not set METERSPHERE_HEADERS_JSON unless you understand and trust every header being injected — it can be used to attach credentials to requests. 6) Protect the .env file (do not commit it; set permissions to 600); be aware scripts will load .env from the skill folder automatically. 7) Inspect the scripts that call openssl/curl and temporary-file handling (ms_batch.py, ms_generate.py, ms.py) to ensure they meet your environment policies. 8) If you are not comfortable with local signing using SECRET_KEY (even though the scripts claim not to transmit it), consider using a read-only approach and avoid providing a high-privilege secret to this skill. If you want, I can point out the exact lines/files implementing the hardcoded IDs, the openssl/curl calls, and the .env loading so you can review them closely.
功能分析
Type: OpenClaw Skill
Name: metersphere
Version: 1.0.5
The bundle provides a legitimate integration for the MeterSphere REST API, enabling an AI agent to manage test cases, API definitions, and review workflows. While the scripts utilize high-risk capabilities such as executing system commands (curl, openssl) and handling sensitive API credentials (METERSPHERE_SECRET_KEY), these actions are well-documented and strictly aligned with the stated purpose of authenticating with and interacting with a MeterSphere instance. Notably, the package includes extensive security documentation (INSTALLATION_CHECKLIST.md, SIGNATURE_ALGORITHM.md) and a dedicated verification script (verify_installation.py) to help users mitigate risks like hardcoded IDs or insecure environment configurations. No evidence of data exfiltration, unauthorized persistence, or malicious prompt injection was found.
能力标签
能力评估
Purpose & Capability
The on-disk SKILL.md and skill-metadata.json declare required env vars (METERSPHERE_BASE_URL, METERSPHERE_ACCESS_KEY, METERSPHERE_SECRET_KEY) and required binaries (python3, openssl, curl). However the top-level registry summary shown to the platform reported 'Required env vars: none' and 'Required binaries: none' — a metadata inconsistency. The code and documentation do legitimately need the declared keys and binaries for MeterSphere API signing and HTTP calls, but the registry metadata mismatch is an incoherence that could hide the true credential requirements from reviewers or automated installers.
Instruction Scope
Runtime instructions and the included scripts stay within the MeterSphere API domain (queries, generate and create cases, import OpenAPI). However the scripts automatically load a .env file from the skill directory (which can cause secrets to be picked up unexpectedly) and accept an optional METERSPHERE_HEADERS_JSON that can inject arbitrary HTTP headers. The code also uses subprocess to call openssl and curl for signing and uploads. These behaviors are functional but broaden the attack surface and require careful review (especially HEADERS_JSON and automatic .env loading).
Install Mechanism
There is no install spec that downloads or executes external code; the package is instruction + bundled scripts. That reduces installer risk. The included scripts use common system binaries (python3, openssl, curl) rather than fetching code from untrusted URLs. No network-based installation step was found.
Credentials
Requested environment variables (BASE_URL, ACCESS_KEY, SECRET_KEY) are expected for an API client that signs requests locally. However: (1) scripts fall back to hard-coded templateId/versionId/projectId values when environment overrides are not set — risking accidental writes to another project; (2) METERSPHERE_HEADERS_JSON allows arbitrary header injection (could be abused if set to include auth headers for other services); (3) verify_installation prints truncated env values (first 10 chars) which may leak secret prefixes when run. These are proportionate to functionality but represent operational and security risks that must be managed.
Persistence & Privilege
always:false and no evidence the skill modifies other skills or system-wide configuration. The skill does auto-load a local .env file in its own directory and writes/reads temporary files during multipart uploads, which is normal for CLI tooling and limited to its directory.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install metersphere - 安装完成后,直接呼叫该 Skill 的名称或使用
/metersphere触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.5
## metersphere 1.0.5 Changelog
- 增加了三份新文档和脚本:INSTALLATION_CHECKLIST.md、SIGNATURE_ALGORITHM.md、scripts/verify_installation.py
- SKILL.md 安全部分全面升级,新增“安装前重要警告”和详细本地/沙箱验证要求
- 明确推荐先运行 INSTALLATION_CHECKLIST.md 和 scripts/verify_installation.py 进行环境与依赖检查
- 提供关于签名算法的独立说明文档(SIGNATURE_ALGORITHM.md),强调关键安全细节
- 强调必须设置环境变量以覆盖硬编码 ID,确保数据归属正确
- 增强凭证、安全、二进制依赖和沙箱运行的操作警示与检查流程
v1.0.4
metersphere 1.0.3
- 增强安全说明,指出存在硬编码的项目 ID、模板 ID 和版本 ID,强烈建议通过环境变量覆盖,避免数据归属错误项目。
- 新增推荐环境变量:`METERSPHERE_DEFAULT_TEMPLATE_ID` 和 `METERSPHERE_DEFAULT_VERSION_ID`,鼓励在 `.env` 中明确配置。
- 首次使用建议步骤进一步细化,包括设置环境变量和检查/替换硬编码值的指引。
- 修改安全说明,统一使用 “MeterSphere API” 表述。
- 其余说明文档内容结构和指令用法保持不变。
v1.0.3
Version 1.0.2
- Added required skill metadata file: skill-metadata.json.
- Expanded SKILL.md with structured environment variable requirements and detailed security notes.
- Clarified required/optional environment variables and dependency tools.
- Added usage warnings for secret handling, external network access, and permissions.
- No breaking changes to previous usage or command workflows.
v1.0.2
- No file changes detected in this release.
- No user-facing functionality or documentation updates.
- Version bump only; behavior is unchanged.
v1.0.1
- 初始版本发布
- 移除 .env 文件,避免敏感配置信息泄露
- 保持功能文档及现有能力说明不变
v1.0.0
Initial release integrating MeterSphere REST API and local script capabilities for OpenClaw Agent.
- Provides efficient, reusable skill scripts for MeterSphere test asset management.
- Supports automatic generation of test cases, API definitions, and links to defect/review information.
- Includes streamlined workflows for querying, creating, and reporting on organizations, projects, modules, test cases, reviews, and defects.
- Offers default command sequences for common testing and review scenarios.
- Requires minimal configuration via three environment variables for setup.
元数据
常见问题
MeterSphere 是什么?
本项目将 MeterSphere REST API 与本地脚本能力整合,为 OpenClaw Agent 提供了一套高效、可复用的 Skills,支持自动生成功能用例、接口定义及接口用例,查询组织、项目、模块、用例评审与缺陷关联等信息,简化了测试资产管理流程,提升了团队的自动化效率。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 181 次。
如何安装 MeterSphere?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install metersphere」即可一键安装,无需额外配置。
MeterSphere 是免费的吗?
是的,MeterSphere 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
MeterSphere 支持哪些平台?
MeterSphere 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 MeterSphere?
由 zhao(@fit2-zhao)开发并维护,当前版本 v1.0.5。
推荐 Skills