← 返回 Skills 市场

nokey-vehicle-info

Name: nokey-vehicle-info
Author: zhouzidan

作者 zhou_guobao · GitHub ↗ · v1.0.2 · MIT-0

cross-platform ⚠ suspicious

138

总下载

当前安装

版本数

在 OpenClaw 中安装

/install nokey-vehicle-info

功能描述

车辆信息查询技能，支持查询车辆位置、车况信息（车锁、车门、车窗、空调、引擎状态等）。当用户查询车辆位置、询问车辆在哪里、查询车况信息时自动调用此技能。

安全使用建议

What to consider before using/installing: - Do not paste real production tokens until you confirm expected format and endpoints. SKILL.md and README disagree on whether the string is vehicleToken####accessToken or accessToken####vehicleToken — confirm with the author or by trial with a short-lived test token. - The skill saves tokens in plaintext to ~/.nokey_vehicle_info_cache.json and prints them in examples; treat these tokens as sensitive. If you must test, use short-lived or test tokens and rotate them immediately after. - The package has no verified source or homepage. Prefer skills from known authors or official vendor integrations; verify the API domains (uat-openapi.ingeek.com and openapi.nokeeu.com) independently before sending credentials. - The SKILL.md expects curl and jq but the skill metadata didn't list required binaries — ensure you have those tools and understand they will be used to make network calls to the listed endpoints. - If you proceed: 1) test with a revoked/test token, 2) inspect the created cache file and remove it when done, 3) consider restricting file permissions (chmod 600) and rotating real tokens after use, and 4) ask the maintainer to fix the token-format documentation and avoid echoing tokens in outputs/logs. - If you cannot verify the author or endpoints, do not provide live credentials and consider declining installation.

功能分析

Type: OpenClaw Skill Name: nokey-vehicle-info Version: 1.0.2 The skill manages vehicle information by executing shell commands (curl, jq, awk) to interact with third-party APIs (ingeek.com, nokeeu.com). It requests sensitive authentication tokens from the user and stores them in plaintext in a local cache file (~/.nokey_vehicle_info_cache.json), which is a significant security vulnerability. Additionally, the instructions in SKILL.md for processing user-provided tokens via shell scripts are potentially vulnerable to shell injection if the AI agent does not sanitize the input before execution. While these capabilities are plausibly needed for the stated purpose, the combination of risky shell execution and insecure credential handling warrants a suspicious classification.

能力评估

ℹ Purpose & Capability

The declared purpose (query vehicle location and condition) matches the documented API calls to /iot/v1/condition. However there are internal inconsistencies: SKILL.md expects token format vehicleToken####accessToken while README.md documents accessToken####vehicleToken. The skill also references a deploy.sh and a deploy path that are not present in the package. These mismatches reduce confidence in correctness but do not by themselves indicate malicious intent.

⚠ Instruction Scope

Runtime instructions instruct the agent/user to accept credential strings, parse them, save them to ~/.nokey_vehicle_info_cache.json, and use curl/jq to POST to external endpoints. Saving sensitive tokens in plaintext and echoing them to stdout (the docs show echoing accessToken/vehicleToken) increases risk of accidental leakage (e.g., logs, screenshots, assistant transcripts). The instructions also require reading and writing the user's home directory; while this is functionally relevant, it is sensitive and should be explicit to users.

ℹ Install Mechanism

This is instruction-only (no install spec, no code files), so no archive downloads or exec installs are present. The README recommends installing curl and jq, but the skill metadata lists no required binaries — that mismatch is an oversight. Overall install risk is low because nothing is being downloaded by the skill itself.

⚠ Credentials

The skill requests no environment variables but its README/SKILL.md reference environment selection (VEHICLE_ENV or cached env field). The biggest proportionality concern is that the skill asks for two sensitive tokens and stores them unencrypted in a local file without guidance on protecting or rotating them. The conflicting token-format documentation (two places disagree which token comes first) is a substantive coherence issue for credential handling.

ℹ Persistence & Privilege

always:false (no forced global presence). The skill persists credentials in a file under the user's home (~/.nokey_vehicle_info_cache.json), which is expected for caching but should be considered a privilege (it writes to user home). It does not request system-wide config changes or other skills' credentials.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install nokey-vehicle-info
安装完成后，直接呼叫该 Skill 的名称或使用 /nokey-vehicle-info 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.2

**Changelog for nokey-vehicle-info v1.0.2** - 更新接口响应示例与字段说明，细化车辆状态字段（power、trunk、gear、window 等）。 - 明确 gear 档位、window 车窗等字段的编码说明。 - 删除响应示例中未必返回的车辆物理量字段（如温度、电压、电量等）。 - 无功能完善或接口变更，仅文档描述更正与结构精简。 - 保留所有使用方式和环境切换相关指引不变。

v1.0.1

功能完善

v1.0.0

nokey-vehicle-info 1.0.0 - 初始发布 - 新增车辆信息查询技能，支持车辆位置与车况（如车锁、车门、车窗、空调、引擎状态等）自动化查询。 - 实现 access_token 和 device_token 的本地认证缓存与校验。 - 支持用户通过命令行/会话引导补充认证信息。 - 通过 curl API 方式无依赖实现车辆状态与位置信息查询。 - 支持环境切换（UAT 和 PROD）。 - 完备的查询流程说明和接口字段文档，含错误处理指引。

元数据

Slug nokey-vehicle-info

版本 1.0.2

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 3

常见问题

nokey-vehicle-info 是什么？

车辆信息查询技能，支持查询车辆位置、车况信息（车锁、车门、车窗、空调、引擎状态等）。当用户查询车辆位置、询问车辆在哪里、查询车况信息时自动调用此技能。它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 138 次。

如何安装 nokey-vehicle-info？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install nokey-vehicle-info」即可一键安装，无需额外配置。

nokey-vehicle-info 是免费的吗？

是的，nokey-vehicle-info 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

nokey-vehicle-info 支持哪些平台？

nokey-vehicle-info 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 nokey-vehicle-info？

由 zhou_guobao（@zhouzidan）开发并维护，当前版本 v1.0.2。