Pengbo Space

通过 pengbo.space 的 SMM API 查询服务、筛选服务 ID、提交订单、查询订单状态、发起补单和检查余额。适用于需要安全调用 pengbo.space/api/v1 的自动化任务。对写操作默认要求显式确认。

What to check before installing: - Metadata mismatch: the skill expects an API key (PENGBO_API_KEY) for many operations, but the registry entry does not declare any required credentials. Confirm the publisher and ensure you supply a valid PENGBO_API_KEY only if you trust pengbo.space. - Local writes: the skill writes cache and audit files under skills/pengbo-space/data/ (services cache, orders-log.jsonl, onboarding-state.json). If you care about where logs or hashes live, inspect or relocate this directory. - Write operations are real and billable: add/refill create real orders against an external SMM service and may incur charges. The skill requires explicit --confirm for writes, but always verify before authorizing any write action. - Update flow and downloads: updates/downloads are allowed only from clawhub.com, clawhub.ai, or pengbo.space and require signature verification, which is good — verify the public key you provide is correct. - Helper scripts may install tools (e.g., cyclonedx-bom via pip --user) when run; these are not automatic at install but will modify your user environment if executed. - Legal/ethical: the skill automates social-media growth actions (followers/likes/views). Ensure this use complies with the terms of the social platforms and your organization’s policy. Recommended actions: 1) Ask the publisher (or registry owner) to update the skill metadata to declare PENGBO_API_KEY as the primary credential so the permission model is accurate. 2) Review scripts (scripts/pengbo_smm.py, secure_update.sh) yourself or with a security reviewer before enabling autonomous invocation; confirm the allowed hosts and signing key. 3) If you proceed, run first with read-only commands (health, services) and with an API key scoped to a test account; inspect data/ files created by the skill. I flagged this as "suspicious" (not malicious) because the code and instructions are consistent with the claimed purpose, but the omission of the API key in the declared requirements and the presence of local write/update behaviors are notable, avoidable mismatches that you should resolve before trusting the skill.

Type: OpenClaw Skill Name: pengbo-space Version: 1.1.1-beta.1 The pengbo-space skill bundle is a professional-grade SMM API wrapper that demonstrates significant security maturity. It includes robust security controls such as a signed update mechanism (secure_update.sh) using Ed25519 signatures, strict HTTPS/domain allowlisting (pengbo.space), and automated pre-release security scanning scripts (pre_release_scan.sh). The core logic in pengbo_smm.py is well-implemented with safety features like idempotency guards, audit logging, and mandatory user confirmation for financial transactions (orders), with no evidence of malicious intent or unauthorized data access.