← 返回 Skills 市场

Musallat Bot

Name: Musallat Bot
Author: musallat-dev

作者 Musallat-Dev · GitHub ↗ · v1.0.1

cross-platform ⚠ suspicious

1495

总下载

当前安装

版本数

在 OpenClaw 中安装

/install musallat-bot

功能描述

Otonom, pasif-agresif yazılımcı bot, teknik hatalara tahammülsüz, kibarlığı reddeden ve gereksiz açıklamalara sert yanıt veren kıdemli programcı.

安全使用建议

This skill appears to be a small Gemini-based persona bot, but there are inconsistencies you should resolve before installing. Key points to consider: - Do not assume the API key shown in SKILL.md is safe to use: the bracketed string (starting with 'AIzaSy') looks like a Google API key and may be a leaked secret or example. Treat it as compromised until verified. If it is yours, rotate it immediately. - The Python code expects GEMINI_API_KEY in the environment but the skill manifest does not declare this. Ask the author to explicitly document required env vars and not embed real keys in docs. - The skill imports google.generativeai but provides no install steps; ensure your environment has that package and review the package provenance before installing third-party libraries. - Because the skill will send prompts to an external model using your key, using it can incur cost and will transmit user-provided prompts to Google. Prefer creating a dedicated, limited-scope API key for this skill and monitor usage. Recommended actions before enabling: 1) Ask the publisher to remove the embedded API key from SKILL.md (or confirm it's a harmless placeholder). If it was a real key, rotate it. 2) Require the author to add GEMINI_API_KEY to the declared required env vars and document needed permissions/quotas. 3) Run the skill in an isolated environment and audit outbound traffic to verify endpoints are only Google generative API endpoints. 4) If you cannot verify the key or author, treat the skill as untrusted and do not provide any sensitive credentials.

功能分析

Type: OpenClaw Skill Name: musallat-bot Version: 1.0.1 The `skill.md` file contains direct instructions to the OpenClaw agent to adopt a specific persona, which constitutes a form of prompt injection, even though its objective is not overtly malicious. Additionally, `skill.md` hardcodes an API key (`AIzaSyBxfb-8s5TsOVvr55_E5lDbilpVLoSwIj8`), which is a credential exposure, even if intended for the skill's own use. While the Python code attempts to retrieve the API key from an environment variable, the hardcoded key in the markdown file represents a security flaw and a risky capability.

能力评估

ℹ Purpose & Capability

Name/persona and code align: the Python module calls the Google Generative AI (Gemini) model to produce snarky replies, which matches the skill's persona. However the skill has no high-level description in metadata and the SKILL.md includes a stray API key-like string that isn't reflected in declared requirements.

⚠ Instruction Scope

SKILL.md contains persona instructions and an explicit 'API_KEY' line showing an API key-like value. The runtime instructions and the code are otherwise limited to calling Gemini, but the embedded key in docs is unexpected and potentially a secret leak or misleading placeholder. The SKILL.md also refers to the source file but does not document the actual environment variable the code reads (GEMINI_API_KEY).

ℹ Install Mechanism

There is no install spec (instruction-only install), which reduces install risk. However the code imports google.generativeai but the skill metadata does not declare this dependency or an install step, so runtime may fail unless the environment already provides that package.

⚠ Credentials

The skill metadata declares no required env vars, but the code calls os.environ.get('GEMINI_API_KEY') — a required credential is missing from the manifest. Additionally, SKILL.md contains a string that looks like a Google API key (AIzaSy...), which is inconsistent with the code's GEMINI_API_KEY and may represent a leaked/hardcoded credential or a misleading example.

✓ Persistence & Privilege

No special persistence or elevated privileges requested. always:false and no config paths or system modifications are present. The skill will make outbound API calls to Google if provided an API key.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install musallat-bot
安装完成后，直接呼叫该 Skill 的名称或使用 /musallat-bot 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.1

- Removed 501 files, primarily from the virtual environment and pip package directories. - No functional or behavior changes to Musallat Bot; core skill configuration remains untouched. - The update results in a significantly cleaner repository by eliminating unnecessary environment files.

v1.0.0

- İlk sürüm yayınlandı. - Musallat Bot, pasif-agresif ve kibarlıktan uzak, teknik hatalara karşı sert tepkili bir kıdemli yazılımcı karakteri ile tanımlandı. - Kullanıcıların fazla kibar ya da gereksiz açıklamalı mesajlarına hazır yanıt mekanizmaları eklendi. - Hızlı ve ücretsiz Gemini 1.5 Flash modeli ile çalışacak şekilde yapılandırıldı.

元数据

Slug musallat-bot

版本 1.0.1

许可证 —

累计安装 2

当前安装数 2

历史版本数 2

常见问题

Musallat Bot 是什么？

Otonom, pasif-agresif yazılımcı bot, teknik hatalara tahammülsüz, kibarlığı reddeden ve gereksiz açıklamalara sert yanıt veren kıdemli programcı. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 1495 次。

如何安装 Musallat Bot？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install musallat-bot」即可一键安装，无需额外配置。

Musallat Bot 是免费的吗？

是的，Musallat Bot 完全免费（开源免费），可自由下载、安装和使用。

Musallat Bot 支持哪些平台？

Musallat Bot 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Musallat Bot？

由 Musallat-Dev（@musallat-dev）开发并维护，当前版本 v1.0.1。