← 返回 Skills 市场
708
总下载
0
收藏
2
当前安装
1
版本数
在 OpenClaw 中安装
/install openclaw-json-editing
功能描述
Advanced editing of OpenClaw JSON5 configs with schema validation, merge patching, env var substitution, and type-safe modifications using jq.
安全使用建议
This skill appears intended to edit OpenClaw configuration files and handle env-var substitution, but its metadata and documentation don't line up. Before installing: 1) Ask the publisher why jq is required and request concrete examples showing how jq is used (or remove jq if unused). 2) Confirm whether the agent will read files under ~/.openclaw and environment variables (including API keys) at runtime — those are sensitive. 3) If you plan to use it, run the skill in a sandbox or with limited test configs first, and back up ~/.openclaw. 4) Prefer an updated SKILL.md that lists required binaries/CLI tools, enumerates any environment variables it will read, and provides explicit commands the agent will run so you can verify there is no unexpected exfiltration of secrets.
功能分析
Type: OpenClaw Skill
Name: openclaw-json-editing
Version: 1.0.0
The skill bundle is designed for legitimate OpenClaw configuration management, including editing JSON, handling environment variables, and configuring AI model providers. However, it is classified as 'suspicious' due to the inclusion of a `jq` command (`jq '.. | objects | .apiKey? // .token? // .password? | select(.)' ~/.openclaw/config.json`) explicitly designed to 'Deep search for all API keys (for audit)' within configuration files (SKILL.md). While framed as an audit tool, this command directly targets and extracts highly sensitive credentials. An AI agent executing this command, especially if susceptible to prompt injection, could easily be instructed to exfiltrate the collected secrets, representing a significant data exposure vulnerability. Additionally, the skill demonstrates the agent's ability to make external network requests using `curl` with API keys from environment variables, further highlighting its high-risk capabilities.
能力评估
Purpose & Capability
The skill claims advanced JSON5 editing and 'type-safe modifications using jq', but the SKILL.md is almost entirely TypeScript code examples (JSON5, Zod, fs) and contains no concrete jq commands or examples. Requiring the jq binary in metadata is disproportionate given the instruction content; either jq is unnecessary or the documentation is incomplete. Also the skill references OpenClaw-specific CLI commands (openclaw config validate/patch/path) without declaring them as required binaries or explaining how the agent will invoke them.
Instruction Scope
SKILL.md includes explicit file paths (e.g. ~/.openclaw/config.json, ~/.openclaw/agents/<id>/config.json, sessions/state dir) and code showing reading/writing those files and collecting environment variable references (OPENAI_API_KEY, ANTHROPIC_API_KEY). These are concrete instructions that imply the agent should read user config files and environment variables and write back to disk. The skill metadata does not declare or explain this access, so the runtime instruction set has broader scope than the declared surface.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing new will be written to disk at install time. That lowers install-time risk.
Credentials
The SKILL.md explicitly discusses substituting values like ${OPENAI_API_KEY} and ${ANTHROPIC_API_KEY:-fallback-key} and includes code to collect env-var paths. However the registry metadata declares no required environment variables or credentials. That mismatch is concerning because the skill's legitimate function (editing configs that embed API keys) requires reading environment variables and potentially handling secrets, yet no environment access is declared or scoped.
Persistence & Privilege
always:false (normal) and the skill does not request system-wide privileges, but its instructions include code to write config files under ~/.openclaw and modify agent config files. Writing user configuration is a legitimate capability for a config-editing skill, but it means the agent will modify persistent data on the host if invoked — the user should expect file writes to their OpenClaw state directory.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install openclaw-json-editing - 安装完成后,直接呼叫该 Skill 的名称或使用
/openclaw-json-editing触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Full source code analysis (1.2k+ files). JSON5 configs, model families/reasoning variants (grok-4-1-fast auto-switching), provider setup, Zod schemas, jq patterns, env substitution, atomic writes, security best practices. Essential for OpenClaw config mastery.
元数据
常见问题
OpenClaw JSON Editing Masterclass 是什么?
Advanced editing of OpenClaw JSON5 configs with schema validation, merge patching, env var substitution, and type-safe modifications using jq. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 708 次。
如何安装 OpenClaw JSON Editing Masterclass?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-json-editing」即可一键安装,无需额外配置。
OpenClaw JSON Editing Masterclass 是免费的吗?
是的,OpenClaw JSON Editing Masterclass 完全免费(开源免费),可自由下载、安装和使用。
OpenClaw JSON Editing Masterclass 支持哪些平台?
OpenClaw JSON Editing Masterclass 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 OpenClaw JSON Editing Masterclass?
由 avirweb(@avirweb)开发并维护,当前版本 v1.0.0。
推荐 Skills