← 返回 Skills 市场
OpenClaw API Control
作者
Florian Standhartinger
· GitHub ↗
· v0.1.1
· MIT-0
174
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install openclaw-api-control
功能描述
Control a hosted OpenClaw instance through the OpenClaw as a Service API. Use when the user asks to talk to OpenClaw over API, send a folder or file to OpenC...
安全使用建议
This package appears to be a straightforward OpenClaw API client and the code matches the documented commands, but there are notable red flags to consider before installing:
- The SKILL.md and script require OPENCLAW_API_KEY (and optionally OPENCLAW_API_BASE_URL / OPENCLAW_INSTANCE_ID), yet the registry metadata listed no required credentials — ask the publisher to correct the registry metadata and explain why it was omitted.
- The script will read and upload local files when you explicitly request 'upload-tree' or similar; it enforces a 5MB per-file limit and skips likely binaries, but it will transmit whatever you point it at to the configured API_BASE_URL. Ensure OPENCLAW_API_BASE_URL is the official endpoint before uploading sensitive files.
- Only provide an API key scoped to the minimum privileges and instances needed; consider creating a test key and rotating it after validating the skill.
- The owner and homepage are unknown. Prefer skills from known publishers or with an audit trail; request provenance (author email, repo, or signed release) and review the full script yourself or have a trusted party do so.
- Because the manifest/metadata mismatch is the primary concern, ask the maintainer to fix the metadata (declare OPENCLAW_API_KEY as a required credential) and re-publish. If you cannot verify the source or correct the metadata, run the skill in a sandboxed environment and avoid uploading sensitive data.
If you want, I can list the exact lines where the code reads OPENCLAW_API_KEY and where file uploads occur so you can inspect them further.
功能分析
Type: OpenClaw Skill
Name: openclaw-api-control
Version: 0.1.1
The skill provides a Node.js client (scripts/openclaw_api_client.mjs) to manage remote OpenClaw instances via an API. It includes high-risk capabilities such as recursive local file reading and uploading (upload-tree) and remote command execution (terminal exec) on the target instance. While these behaviors are aligned with the stated purpose in SKILL.md and require a user-provided OPENCLAW_API_KEY, the broad file and network access to the default endpoint (openclaw-as-a-service.com) constitutes a significant attack surface for data exfiltration if misused.
能力评估
Purpose & Capability
The SKILL.md and scripts implement an OpenClaw-as-a-Service API client (instance listing/creation, chat, file uploads, command exec) which matches the skill name/description. However the registry metadata at the top of the report lists no required environment variables or primary credential, while SKILL.md and the script require OPENCLAW_API_KEY (and optionally OPENCLAW_API_BASE_URL and OPENCLAW_INSTANCE_ID). That mismatch between declared registry requirements and the runtime instructions is an incoherence that should be resolved before trusting the skill.
Instruction Scope
The SKILL.md gives concrete commands and the code only performs the described actions: network calls to the configured API_BASE_URL, reading local files only when the user explicitly requests an upload, size limit (5MB) and a text-file heuristic are applied. There are no instructions to read arbitrary shell history or unrelated system files. The agent will need to supply the API key to operate.
Install Mechanism
There is no install spec (instruction-only with an included Node script). Nothing is downloaded from third-party URLs and no installers are run. The runtime risk is limited to executing the included Node script, which is visible in the bundle.
Credentials
The code legitimately requires a bearer API key (OPENCLAW_API_KEY) and optionally OPENCLAW_API_BASE_URL / OPENCLAW_INSTANCE_ID. Those are reasonable for the stated purpose, but the registry metadata inexplicably omitted them; the omission is suspicious. Also note OPENCLAW_API_BASE_URL is configurable — if an attacker or misconfiguration points it at a malicious endpoint, files and messages would be sent there. Treat the API key as sensitive and use a key scoped to minimal privileges/instances.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or system-wide settings. Autonomous invocation (disable-model-invocation: false) is the platform default; combined with the other concerns this does not by itself change the verdict.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install openclaw-api-control - 安装完成后,直接呼叫该 Skill 的名称或使用
/openclaw-api-control触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.1
Add env var declarations and security metadata to resolve ClawHub scanner flags
v0.1.0
Initial release
元数据
常见问题
OpenClaw API Control 是什么?
Control a hosted OpenClaw instance through the OpenClaw as a Service API. Use when the user asks to talk to OpenClaw over API, send a folder or file to OpenC... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 174 次。
如何安装 OpenClaw API Control?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-api-control」即可一键安装,无需额外配置。
OpenClaw API Control 是免费的吗?
是的,OpenClaw API Control 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
OpenClaw API Control 支持哪些平台?
OpenClaw API Control 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 OpenClaw API Control?
由 Florian Standhartinger(@fstandhartinger)开发并维护,当前版本 v0.1.1。
推荐 Skills