← 返回 Skills 市场
243
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install mihomo-cli
功能描述
Inspect and operate a local Mihomo/Clash.Meta/Clash Verge/ClashMac instance through its REST API. Use when the user asks to check proxy status, list nodes, r...
安全使用建议
This skill and its script appear to do what they say: discover a local Mihomo/Clash install, read the config to get the API host and secret, and call the local REST API to inspect or change proxy state. Before installing or running it, review and consider the following:
- Inspect the bundled script yourself (scripts/mihomo-cli.sh). It will read config files (e.g., ~/.config/mihomo/config.yaml, /etc/mihomo/config.yaml) and may extract a 'secret' token — that token grants API access to the local service.
- The script expects command-line tools (curl, jq, ps, grep, sed, xargs). The package metadata does not declare these dependencies; ensure they are present and you understand their usage.
- The script can perform mutating actions (switch proxies, flush caches, restart Mihomo). Only run those commands when you trust the environment and understand the impact.
- Prefer running read-only commands (status, proxies, groups) first. If you are concerned about secrets being read, run the script with MIHOMO_SECRET unset and explicitly pass safe options, or inspect the config files manually.
- Do not run the script as root; run it as the user that owns the Mihomo/Clash installation to limit exposure.
- If you want higher assurance, run the script in a sandboxed environment or review/modify it to log less or to avoid extracting the secret if you only need read-only operations.
If the publisher can update the registry metadata to list required binaries (curl, jq) and the optional env vars (MIHOMO_CONFIG, MIHOMO_HOST, MIHOMO_SECRET), that would resolve the main transparency concerns and raise confidence.
功能分析
Type: OpenClaw Skill
Name: mihomo-cli
Version: 1.0.0
The skill bundle provides a utility for managing local Mihomo/Clash proxy instances, which requires several high-risk capabilities. The script `scripts/mihomo-cli.sh` automatically discovers and reads local configuration files (e.g., in `~/.config/mihomo/`) to extract sensitive API secrets and uses `ps aux` to inspect running processes for configuration paths. While these behaviors are aligned with the stated purpose, the automated credential extraction and the instructions in `SKILL.md` encouraging broad system discovery constitute risky behaviors under the analysis threshold. Additionally, the script exhibits a minor JSON injection vulnerability in the `cmd_switch` function when constructing API request bodies.
能力评估
Purpose & Capability
Name/description match the behavior: the script discovers local Mihomo/Clash installs, extracts 'external-controller' and 'secret', and calls the local REST API to list proxies, switch groups, flush caches, and restart. However, the skill metadata declares no required binaries or env vars while the script clearly expects tools like curl and jq and optional env vars (MIHOMO_CONFIG, MIHOMO_HOST, MIHOMO_SECRET). The absence of declared dependencies is an inconsistency that should be resolved.
Instruction Scope
The SKILL.md and the script stay within the stated scope: they read common Mihomo/Clash config paths, inspect running processes to find a config file, extract the API host and secret, and perform read or mutating API calls (status, proxies, groups, test, switch, flush, restart). The README advises preferring read-only commands before mutations. No instructions ask the agent to read unrelated user files or transmit data to third-party endpoints.
Install Mechanism
This is an instruction-only skill with a bundled helper script and no install spec, so nothing is downloaded or installed automatically. That minimizes installation risk. The script will run locally and does not install additional code by itself.
Credentials
Although the registry lists no required environment variables, the script honors and uses MIHOMO_CONFIG, MIHOMO_HOST, and MIHOMO_SECRET, and it extracts secret values from config files. That means sensitive data (the API secret) can be read from disk or environment when the script runs. The requested access is relevant to the task, but the omission from declared requirements is a transparency issue and raises risk if users assume no secrets are touched.
Persistence & Privilege
The skill is not force-included (always: false) and does not request persistent platform privileges. It does include functionality to restart services and flush caches, which are legitimate operations for this purpose but are potentially disruptive; the SKILL.md explicitly warns to confirm intent before mutating state.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install mihomo-cli - 安装完成后,直接呼叫该 Skill 的名称或使用
/mihomo-cli触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Smart discovery and control for Mihomo/Clash proxy instances
元数据
常见问题
Mihomo CLI 是什么?
Inspect and operate a local Mihomo/Clash.Meta/Clash Verge/ClashMac instance through its REST API. Use when the user asks to check proxy status, list nodes, r... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 243 次。
如何安装 Mihomo CLI?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install mihomo-cli」即可一键安装,无需额外配置。
Mihomo CLI 是免费的吗?
是的,Mihomo CLI 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Mihomo CLI 支持哪些平台?
Mihomo CLI 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Mihomo CLI?
由 Park(@parkgogogo)开发并维护,当前版本 v1.0.0。
推荐 Skills