← 返回 Skills 市场
NewAPI
作者
Calcium-Ion
· GitHub ↗
· v0.1.1
· MIT-0
367
总下载
0
收藏
1
当前安装
2
版本数
在 OpenClaw 中安装
/install newapi
功能描述
Assistant for newapi (new-api), an open-source unified AI gateway platform (https://github.com/QuantumNous/new-api). Use when the user asks about New API, ma...
安全使用建议
Before installing or running this skill: 1) Be aware the scripts require NEWAPI_BASE_URL, NEWAPI_ACCESS_TOKEN, and NEWAPI_USER_ID even though the registry metadata doesn't list them — set those only in a secure environment. 2) env.js will load .env from your project root (it searches upward from the current working directory) and from the skill dir — remove or avoid sensitive secrets in project .env files you don't want read. 3) Review the scripts yourself: inject-key can overwrite files atomically and exec-token runs arbitrary shell commands with live secrets substituted; only run apply/exec on files/commands you trust. 4) The skill's sanitizers try to redact secrets but are heuristic — do not rely on them as an absolute guarantee. 5) If you expect the platform to enforce least privilege, ask the publisher to update metadata to declare required env vars explicitly and to document the .env file access behavior clearly before proceeding.
功能分析
Type: OpenClaw Skill
Name: newapi
Version: 0.1.1
The skill bundle provides management for the New API gateway but includes high-risk capabilities, specifically arbitrary shell command execution and file system modification. The script `exec-token.js` uses `execSync` with `shell: true` to execute commands containing token placeholders, which presents a significant Remote Code Execution (RCE) risk if the command template is manipulated. Additionally, `inject-key.js` allows for reading and atomically overwriting local files. While the bundle contains extensive security instructions and a sanitization module (`sanitize.js`) designed to prevent the AI from seeing or leaking secrets, the inclusion of these powerful execution primitives without strict input validation qualifies as suspicious.
能力评估
Purpose & Capability
The skill's name/description (New API management, tokens, config injection, exec with tokens) aligns with the included scripts. However, the registry metadata declares no required environment variables while the runtime scripts (env.js) require NEWAPI_BASE_URL, NEWAPI_ACCESS_TOKEN, and NEWAPI_USER_ID and will exit if they are missing. That mismatch (metadata vs actual requirements) is an incoherence the user should notice.
Instruction Scope
SKILL.md and docs instruct the agent to avoid exposing keys and not to read .env or clipboard contents, but env.js explicitly loads .env files (project root and skill dir) to populate credentials. The scripts will also read arbitrary config files for scan/apply operations and will atomically overwrite files in apply mode. exec-token runs arbitrary shell commands with a fetched secret substituted into the command — powerful and aligned with purpose, but it requires trust in the script's sanitization and in the target command not to leak the secret elsewhere.
Install Mechanism
There is no install spec and this is instruction-plus-script content (no network downloads at install time). That reduces supply-chain risk; the code is shipped in the skill bundle rather than fetched from an arbitrary URL.
Credentials
The scripts legitimately need three environment values (NEWAPI_BASE_URL, NEWAPI_ACCESS_TOKEN, NEWAPI_USER_ID) to call the New API, but the skill registry metadata lists none — this under-declaration is misleading. Also, env.js will look for a project-root .env (by walking up from process.cwd()) and load it if present, which means the scripts may read user project files and any secrets they contain. That level of file access is more than the metadata suggests and should be confirmed before installing.
Persistence & Privilege
always:false and no modification of other skills or global agent settings. The skill can write to arbitrary files specified by the user (inject-key apply mode) and execute arbitrary shell commands (exec-token) — these are powerful but coherent with the stated purpose; they require user caution and explicit file/command targets.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install newapi - 安装完成后,直接呼叫该 Skill 的名称或使用
/newapi触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.1
Version 0.1.1
- Updated "Security Constraints" section to "Security Guidelines" with clearer, more accessible language.
- Added clarifications on the limitations of `scan-config` and best-effort secret redaction.
- Reorganized and simplified security guidance for improved readability.
- No changes to commands, actions, or file structure.
v0.1.0
Initial release of the "newapi" skill — secure gateway and management for New API.
- Provides secure actions for listing models, groups, balance, and managing API tokens.
- Enforces strict security rules: never expose or show API keys; always use provided scripts for actions.
- Supports commands for secure key copying, config file application, and executing commands with masked tokens.
- Includes help and guidance for safe New API usage.
元数据
常见问题
NewAPI 是什么?
Assistant for newapi (new-api), an open-source unified AI gateway platform (https://github.com/QuantumNous/new-api). Use when the user asks about New API, ma... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 367 次。
如何安装 NewAPI?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install newapi」即可一键安装,无需额外配置。
NewAPI 是免费的吗?
是的,NewAPI 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
NewAPI 支持哪些平台?
NewAPI 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 NewAPI?
由 Calcium-Ion(@calcium-ion)开发并维护,当前版本 v0.1.1。
推荐 Skills