← 返回 Skills 市场
Platform API Connector
作者
brandonwadepackard-cell
· GitHub ↗
· v1.0.0
554
总下载
0
收藏
2
当前安装
1
版本数
在 OpenClaw 中安装
/install platform-api-connector
功能描述
Connect to social media and content platform APIs by navigating developer portals, creating apps, obtaining OAuth tokens, and storing credentials. Covers Fac...
安全使用建议
This skill appears to be an instruction guide for obtaining OAuth tokens and storing them — that behavior by itself is consistent with the description. Before installing or using it, verify these points: (1) Where will you store credentials? Provide a secure, access-controlled/ encrypted secrets store (not plaintext JSONB unless you add envelope encryption). (2) The SKILL.md mentions storing secrets in Supabase but declares no DB connection or credentials — ensure you never supply DB credentials or tokens to untrusted code and consider least-privilege DB roles. (3) Validate claims about token lifetimes (e.g., 'never expire' statements) against current platform docs and plan token rotation. (4) If you implement the provided snippets, run them locally and inspect any helper functions (get_connection/update_connection) to make sure they do not exfiltrate tokens. (5) If you intend the agent to store or retrieve credentials automatically, require explicit, audited connector configuration (connection URL, API key) and consider requiring user confirmation before any persistent writes. If you want me to, I can point out exact places in the SKILL.md to modify so it enforces encryption, least privilege, and explicit DB connection configuration.
功能分析
Type: OpenClaw Skill
Name: platform-api-connector
Version: 1.0.0
The skill is classified as suspicious due to its core functionality involving the acquisition and storage of highly sensitive API credentials (client secrets, access tokens, refresh tokens, API keys) for various social media platforms. The `SKILL.md` explicitly instructs the AI agent to store these critical credentials in a database, even providing a `CREATE TABLE` SQL schema for this purpose. While the stated intent is to manage API connections, the instruction to store such sensitive data without explicit mention of robust security measures (e.g., encryption at rest, secure key management) represents a significant security vulnerability. A compromise of the database or the agent could lead to a major data breach. Additionally, `references/oauth-flows.md` details running a local HTTP server for OAuth callbacks, further highlighting network activity and sensitive data handling.
能力评估
Purpose & Capability
The name and description match the instructions: the SKILL.md explains how to create apps, run OAuth flows, and store credentials for the listed platforms. However, the skill repeatedly instructs storing secrets in a DB (Supabase suggested) yet declares no required environment variables or connection configuration for a DB or secret store. That mismatch (declaring no required creds while instructing persistent storage of sensitive tokens) is noteworthy.
Instruction Scope
The instructions explicitly tell the operator to run local OAuth servers, read a 'credentials.json' file for Google, and persist client secrets/access tokens into a JSONB DB table. The SKILL.md does not advise encryption-at-rest, access controls, or secrets rotation, and it references helper functions (get_connection/update_connection) that are not provided. Recommending storing raw secrets without guidance is a security risk and broadens the runtime scope beyond simply 'helping get tokens.'
Install Mechanism
This is an instruction-only skill with no install spec and no code files to execute. That minimizes install-time risk (nothing will be downloaded or written by an installer). The regex scanner had nothing to analyze.
Credentials
The skill requests no environment variables or primary credential in metadata, yet it presumes persistent storage (Supabase/DB) and local files (credentials.json). For practical use the operator will need DB connection info, API keys, or service credentials—none are declared. Also, the SKILL.md recommends storing highly sensitive secrets but provides no guidance to limit access, encrypt, or scope them, which is disproportionate for a helper doc.
Persistence & Privilege
The skill does not request always:true, does not include installers, and is user-invocable only. It does not try to modify other skills or system-wide settings. Autonomous invocation is enabled by default on the platform but is not combined here with other red flags.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install platform-api-connector - 安装完成后,直接呼叫该 Skill 的名称或使用
/platform-api-connector触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: OAuth flows and credential management for Facebook, Instagram, YouTube, Twitter, TikTok
元数据
常见问题
Platform API Connector 是什么?
Connect to social media and content platform APIs by navigating developer portals, creating apps, obtaining OAuth tokens, and storing credentials. Covers Fac... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 554 次。
如何安装 Platform API Connector?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install platform-api-connector」即可一键安装,无需额外配置。
Platform API Connector 是免费的吗?
是的,Platform API Connector 完全免费(开源免费),可自由下载、安装和使用。
Platform API Connector 支持哪些平台?
Platform API Connector 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Platform API Connector?
由 brandonwadepackard-cell(@brandonwadepackard-cell)开发并维护,当前版本 v1.0.0。
推荐 Skills