← 返回 Skills 市场
Preflight Check
作者
Guilherme Favaron
· GitHub ↗
· v0.1.0
· MIT-0
103
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install preflight-check
功能描述
Pre-flight environment validator — checks that all required binaries, environment variables, and services are available before running other skills
安全使用建议
This skill appears to do what it says (preflight checks) but there are important mismatches and privacy risks you should consider before installing or running it:
- Metadata mismatch: The skill's metadata declares no required env vars, yet the instructions read many sensitive variables (service tokens, private keys, GOOGLE_APPLICATION_CREDENTIALS). Ask the author to declare all env vars and explain why each is needed.
- Secret handling: The SKILL.md prints fragments of sensitive values and writes a JSON report to disk. Ensure reports never include full secrets, are stored in a secure location, and are not sent to external endpoints. Prefer presence checks (test -n, test -f) instead of echoing secret contents.
- Permissions: claw.json requests filesystem and network access. If you allow this skill, restrict it to user-invoked runs (disable autonomous invocation) or run it in an isolated/local environment to avoid accidental exfiltration.
- Operational controls: If you still want to use it, require the author to:
1) Update metadata to list the env vars/binaries it will access.
2) Remove or redact any printing of secret values (do not include private key fragments in reports).
3) Make network checks explicit and optional, and document any external endpoints contacted.
4) Provide a signed/known source or package release (currently source/homepage are unclear).
If you cannot get those assurances, run this skill only in a controlled environment (throwaway project or ephemeral container) and inspect the generated report before sharing it.
功能分析
Type: OpenClaw Skill
Name: preflight-check
Version: 0.1.0
The skill is designed for environment validation but contains instructions in SKILL.md that risk exposing highly sensitive credentials. It directs the agent to read and output environment variables such as SUPABASE_SERVICE_ROLE_KEY and FIREBASE_PRIVATE_KEY into a diagnostic report. While some tokens are partially masked using 'head', others are echoed in full, which could lead to accidental credential leakage in logs or the generated 'preflight-report.json' file.
能力评估
Purpose & Capability
The skill name/description (preflight environment validator) is consistent with the checks described in SKILL.md. However, the package metadata (claw.json) declares no required env vars or binaries while the SKILL.md explicitly defines many environment variables and binaries to check (Vercel/Supabase/GCP/Firebase/Cloudflare tokens, GOOGLE_APPLICATION_CREDENTIALS path, node/git/gh/gcloud/docker/etc.). The metadata/requirements and the runtime instructions are not synchronized — the skill will attempt to read values and test tools that are not declared up front.
Instruction Scope
The SKILL.md instructs the agent to run commands that will read environment variables and file paths including sensitive items (e.g., FIREBASE_PRIVATE_KEY, VERcEL_TOKEN, CLOUDFLARE_API_TOKEN, GOOGLE_APPLICATION_CREDENTIALS). It uses echo and head -c to display portions of secrets and writes a JSON report (preflight-report.json). Although verifying presence is reasonable, the instructions explicitly print secret fragments and store results — increasing risk of accidental exposure or exfiltration if the report or logs are transmitted elsewhere.
Install Mechanism
Instruction-only skill with no install spec and no code files; low installation risk since nothing is downloaded or extracted. No install mechanism concerns were found.
Credentials
The SKILL.md checks many sensitive environment variables and a credentials file path but the metadata's requires.env is empty and primary credential is none. Sensitive items (private key, API tokens, GOOGLE_APPLICATION_CREDENTIALS) are accessed directly. Requiring or reading such secrets is proportional to a preflight validator only if it is explicit in metadata and the checks avoid printing/storing secrets — neither is true here.
Persistence & Privilege
claw.json requests filesystem and network permissions and the skill writes preflight-report.json to the project root. Network permissions plus reading sensitive env vars increase the blast radius if the agent is allowed to invoke the skill autonomously or if the report is transmitted off-host. The skill is not marked always:true, but autonomous invocation is allowed by default; combined with the above, this is risky unless restricted.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install preflight-check - 安装完成后,直接呼叫该 Skill 的名称或使用
/preflight-check触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
- Initial release of the preflight-check skill: a pre-flight environment validator for development environments.
- Checks for required binaries, environment variables, and service connectivity for Vercel/Supabase, GCP, and cross-stack skills.
- Produces a structured diagnostic report (JSON and human-readable) with pass/fail, recommendations, and detailed fix instructions.
- Blocks or enables specific skills based on environment readiness.
- Optionally performs service connectivity tests for Supabase, Vercel, Cloudflare, and GCP.
- Report is saved as preflight-report.json and summarized for user clarity.
元数据
常见问题
Preflight Check 是什么?
Pre-flight environment validator — checks that all required binaries, environment variables, and services are available before running other skills. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 103 次。
如何安装 Preflight Check?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install preflight-check」即可一键安装,无需额外配置。
Preflight Check 是免费的吗?
是的,Preflight Check 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Preflight Check 支持哪些平台?
Preflight Check 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Preflight Check?
由 Guilherme Favaron(@guifav)开发并维护,当前版本 v0.1.0。
推荐 Skills