← 返回 Skills 市场
75
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install provider-probe
功能描述
Probe and verify whether an OpenAI-compatible baseURL is a real single-model endpoint or a multi-model aggregation pool. Use when auditing model providers, c...
安全使用建议
This skill is plausibly what it says (a probe for OpenAI-compatible endpoints) but it instructs the agent to read provider configuration files and to use API keys while not declaring any required config paths or credentials. Before installing or running: (1) inspect the bundled script locally (it is included) and run it yourself in a controlled environment rather than giving the agent broad permission to run it autonomously; (2) do not let the agent read system-wide config files you care about — pass only a minimal, sanitized config or explicit baseURL+apiKey for the provider you want tested; (3) be aware the script will send any API key you supply to whatever base_url you target (that is the intended behavior but is also how keys could be leaked); (4) prefer manual invocation or run inside an isolated container/VM and avoid giving the agent access to your main OpenClaw or cloud provider configs. If the publisher can clarify which config path(s) are needed and declare them (or require explicit user confirmation before reading any files), the inconsistency would be addressed.
功能分析
Type: OpenClaw Skill
Name: provider-probe
Version: 1.0.0
The provider-probe skill is designed to audit LLM providers for authenticity, but it contains high-risk capabilities. The script scripts/provider_probe.py reads a local configuration file (/root/.openclaw/openclaw.json) containing sensitive API keys and transmits them to external endpoints specified in the config or via command-line arguments. While these actions are aligned with the stated purpose of probing providers, the script lacks input validation for the configuration file path and uses a hardcoded browser User-Agent to potentially bypass bot detection. No clear evidence of intentional malice or unauthorized data exfiltration was found, but the handling of secrets and arbitrary network access qualifies as suspicious under the provided criteria.
能力评估
Purpose & Capability
The name/description (probing OpenAI-compatible baseURLs for aggregation vs single-model routes) aligns with the included probe script and checklist. However, SKILL.md explicitly tells the agent to "Read provider config or ask for baseURL + apiKey", yet the registry metadata declares no required config paths or environment credentials — a mismatch between claimed needs and declared requirements.
Instruction Scope
SKILL.md and the bundled script instruct the agent to read provider configuration (examples show /root/.openclaw/openclaw.json) or accept baseURL+apiKey input, then make HTTP calls to /models, /responses and /chat/completions. Those instructions permit reading local JSON config files and transmitting API keys to arbitrary endpoints supplied to the tool. The skill does not declare or restrict which config paths may be accessed, increasing the chance the agent could read and transmit unrelated sensitive configuration if used carelessly.
Install Mechanism
Instruction-only skill with a bundled Python script; no install spec, no network download/install step. Low risk from installation mechanism itself.
Credentials
The code expects API keys either via a CLI --api-key argument or inside a JSON config (cfg['models']['providers'][name]['apiKey']). Yet the skill declares no required env vars or config paths and lists no primary credential. That under-declaration is inconsistent and important: in practice this skill needs sensitive API keys to operate, and if the agent follows the instruction to "read provider config" it may access and transmit those keys to external baseURLs.
Persistence & Privilege
always is false and the skill does not request persistent presence or system-level modifications. The normal default of allowing autonomous invocation applies; this alone is not a flag, but combined with the instruction to read configs and handle API keys it increases potential blast radius if the agent is allowed to run the skill autonomously.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install provider-probe - 安装完成后,直接呼叫该 Skill 的名称或使用
/provider-probe触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: probe OpenAI-compatible providers for mixed model pools, endpoint compatibility, stability, and trust judgment.
元数据
常见问题
Provider Probe 是什么?
Probe and verify whether an OpenAI-compatible baseURL is a real single-model endpoint or a multi-model aggregation pool. Use when auditing model providers, c... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 75 次。
如何安装 Provider Probe?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install provider-probe」即可一键安装,无需额外配置。
Provider Probe 是免费的吗?
是的,Provider Probe 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Provider Probe 支持哪些平台?
Provider Probe 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Provider Probe?
由 Andy Ren(@andyrenxu7255)开发并维护,当前版本 v1.0.0。
推荐 Skills