← 返回 Skills 市场
peter-zx

Openclaw Tokenapi Qiehuan Skills

作者 左小空空 · GitHub ↗ · v0.1.0 · MIT-0
cross-platform ⚠ suspicious
172
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install openclaw-tokenapi-qiehuan-skills
功能描述
提供基于WebUI的快速AI模型切换工具,支持保存配置、一键切换、批量导入及API Key本地存储管理。
安全使用建议
This package mostly does what a local model-switcher would do, but there are important mismatches and sensitive behaviors you should check before installing: - Do not assume API keys stay only in the browser: the backend endpoints accept API keys and call secure storage/update routines. Inspect backend/secure_config.py to confirm whether API keys are encrypted at rest and how keys are written to ~/.openclaw/agents/.../auth-profiles.json. - Review any restart scripts referenced (tools/restart_gateway.bat, gateway.cmd under ~/.openclaw). Those are executed by the service (subprocess calls and taskkill) and could run arbitrary commands if modified or replaced on disk. - Confirm the server only binds to localhost in your deployment. If it binds to 0.0.0.0 or you run behind a proxy, CORS allow_origins=['*'] may expose endpoints that accept API keys to other hosts. - If you will store real production API keys, test in an isolated environment first (VM/container) to verify where keys end up and whether they are protected. - If you want to proceed, at minimum: (1) inspect secure_config.py to verify encryption, (2) restrict CORS or bind to 127.0.0.1 only, (3) review or replace restart scripts with safe versions, and (4) consider running with least privilege and backups of ~/.openclaw before first run. Because of the documentation/code disagreement about API key handling and the ability to run system commands and write to sensitive config locations, treat this skill as suspicious until you verify those details.
功能分析
Type: OpenClaw Skill Name: openclaw-tokenapi-qiehuan-skills Version: 0.1.0 The skill bundle functions as a management utility for OpenClaw but includes capabilities that significantly weaken the agent's security posture. Specifically, the 'Advanced Settings' feature allows for the programmatic disabling of the sandbox mode, shell execution restrictions, and execution security prompts (found in `backend/app/api/schemas.py` and `backend/app/core/config_manager.py`). Furthermore, the backend utilizes risky `subprocess` calls with `shell=True` to terminate processes and execute local scripts (`backend/app/core/gateway.py`), which could be leveraged for command injection if the agent is influenced by malicious prompts. While no evidence of intentional data exfiltration was found, the ability to toggle core security defenses makes this bundle highly sensitive.
能力评估
Purpose & Capability
The skill's name/description (model switcher + local API Key memory) matches the included frontend and backend code. However SKILL.md states "API Key 仅保存在浏览器 localStorage(本地),不上传到任何服务器" and claims the backend only reads/writes openclaw.json (non-API parts). The backend code (routes and ConfigManager) clearly accepts API keys via API endpoints and calls secure_config.update/save and update_auth_profile — i.e., it persists API keys to disk/agent auth-profiles. That mismatch between README and implementation is a substantive inconsistency.
Instruction Scope
Runtime instructions tell the agent to start a local backend and modify ~/.openclaw/openclaw.json and auth-profiles files. The code implements endpoints that write configs and API keys, and a GatewayController that runs system commands (taskkill, spawn gateway.cmd, launch a restart .bat). Those actions go beyond simple in-memory switching: they modify user files and control local processes. That scope is plausible for a gateway manager, but it's sensitive and should be explicit to the user.
Install Mechanism
No remote download/install spec is included; the package is local code + static frontend and a pip requirements file. No external arbitrary URL downloads or extract operations were detected. Risk from installation is limited to installing Python dependencies and running the included code.
Credentials
The skill requests no declared environment variables, but it will accept and persist provider API keys via HTTP endpoints and write to user config paths (e.g., ~/.openclaw/openclaw.json and ~/.openclaw/agents/main/agent/auth-profiles.json). Whether keys are encrypted at rest depends on secure_config.py (not shown in the truncated listing). The backend also enables permissive CORS (allow_origins=['*']) which could expose the local API if the server is not strictly bound to localhost — this amplifies risk for stored credentials.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It does request ability to modify local OpenClaw files and to start/stop local processes via subprocess calls. Autonomous invocation (default allowed) combined with these capabilities increases potential impact, but autonomous invocation alone is not being flagged — it's the combination with file/credential writes and process control that is notable.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install openclaw-tokenapi-qiehuan-skills
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /openclaw-tokenapi-qiehuan-skills 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
OpenClaw Model Switcher 0.1.0 – Initial Release - Provides a WebUI for managing and switching between AI model providers quickly. - Features include a saved list of model configurations, one-click switching, batch import, provider filtering, and API key memory via browser localStorage. - Built-in presets for Aliyun, Volcano Engine, Kimi, DeepSeek, OpenAI, MiniMax, and more. - Triggered by natural language phrases such as "切换模型" or "切换到 deepseek 模型". - FastAPI backend (on port 9131) with a Vue 3 frontend; also supports command-line quick switching via Python script. - Ensures security by storing API keys only locally and never uploading them to servers.
元数据
Slug openclaw-tokenapi-qiehuan-skills
版本 0.1.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

Openclaw Tokenapi Qiehuan Skills 是什么?

提供基于WebUI的快速AI模型切换工具,支持保存配置、一键切换、批量导入及API Key本地存储管理。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 172 次。

如何安装 Openclaw Tokenapi Qiehuan Skills?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-tokenapi-qiehuan-skills」即可一键安装,无需额外配置。

Openclaw Tokenapi Qiehuan Skills 是免费的吗?

是的,Openclaw Tokenapi Qiehuan Skills 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Openclaw Tokenapi Qiehuan Skills 支持哪些平台?

Openclaw Tokenapi Qiehuan Skills 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Openclaw Tokenapi Qiehuan Skills?

由 左小空空(@peter-zx)开发并维护,当前版本 v0.1.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463942 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259883 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200739 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191401 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190375 · by oswalpalash

💬 留言讨论