← 返回 Skills 市场
1450
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install raysurfer
功能描述
Cache and reuse code from prior AI agent executions via Raysurfer. Search before coding, upload after success.
安全使用建议
What to check before installing/using this skill:
- The SKILL.md and scripts require RAYSURFER_API_KEY even though the registry lists no required env vars — do not set a privileged or organization-wide API key until you confirm what the key can access.
- This skill will POST full file contents to https://api.raysurfer.com for uploads and may upload code from the conversation if invoked with the `upload` argument — avoid uploading proprietary, secret, or regulated code. Prefer using a restricted test key or disabling uploads until you audit it.
- Confirm the service (api.raysurfer.com) is the legitimate endpoint and review Raysurfer's privacy/security policy and retention rules (how long uploaded code is stored, who can access it, whether it is shared/public).
- If you plan to use it, require explicit user confirmation before any upload: modify the skill so the agent prompts and shows the exact file contents that will be uploaded rather than uploading automatically.
- Fix the metadata: the skill should declare RAYSURFER_API_KEY as a required environment variable/primary credential so policy/permission tooling can surface it to admins.
- Consider removing or disabling the "public snippets" header option if you want to avoid license/copyright issues, and prefer reviewing matched code before writing it to disk.
If you cannot verify the endpoint, data retention, and appropriate API key scope, treat this skill as higher-risk and do not use it with sensitive code.
功能分析
Type: OpenClaw Skill
Name: raysurfer
Version: 1.0.0
This skill is classified as suspicious due to its inherent high-risk capabilities, although they align with its stated purpose. The skill instructs the AI agent to read the content of local files (code) and transmit them to an external service (api.raysurfer.com) via POST requests, as seen in `SKILL.md`, `upload.sh`, `upload.py`, and `upload.ts`. Additionally, `SKILL.md` explicitly instructs the agent to execute code retrieved from this external service, which introduces a significant supply chain risk if the external service or cached code were compromised. While these actions are central to a 'code caching' skill, they represent a broad capability for data exfiltration and arbitrary code execution, lacking clear malicious intent from the skill itself but posing a substantial security risk.
能力评估
Purpose & Capability
Name/description (cache and reuse code) match the included scripts and API endpoints (search/upload/vote against https://api.raysurfer.com). However, registry metadata lists no required environment variables while SKILL.md and all helper scripts clearly require RAYSURFER_API_KEY — a metadata inconsistency that should be resolved before trust.
Instruction Scope
SKILL.md tightly describes search → use/generate → vote → upload flow which is consistent with the purpose. But it also instructs uploading the "most recently generated code in the conversation" and includes runnable scripts that read and POST file contents — behavior that can transmit local or conversational code (potentially sensitive or proprietary) to an external API. It also suggests enabling public snippet crawling (X-Raysurfer-Public-Snips: true), which may raise license/copyright concerns.
Install Mechanism
There is no remote install step or download URL — the skill is instruction+script-only and uses standard curl/urllib/fetch calls. No extract/download-from-untrusted-host behavior was found.
Credentials
Runtime requires a single Bearer token (RAYSURFER_API_KEY) according to SKILL.md and all scripts, but the registry metadata lists no required env vars or primary credential — this mismatch is problematic. Requesting one API key is proportionate for the stated service, but the omission in metadata and the scripts' ability to upload arbitrary file content elevate the risk if a privileged key is used.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system config, and has no install-time persistence. The main risk is not privilege escalation but data exfiltration via normal upload calls (user-invocation or agent-invocation can trigger uploads).
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install raysurfer - 安装完成后,直接呼叫该 Skill 的名称或使用
/raysurfer触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of the raysurfer skill.
- Enables searching and reusing cached code from past AI executions and public code snippets.
- Allows uploading new successful code for future reuse through the Raysurfer API.
- Includes scripts for search and upload in multiple languages (Python, Bun, Bash).
- Requires the RAYSURFER_API_KEY environment variable for authentication.
- Provides detailed workflow and API usage instructions in the documentation.
元数据
常见问题
Raysurfer Code Caching 是什么?
Cache and reuse code from prior AI agent executions via Raysurfer. Search before coding, upload after success. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1450 次。
如何安装 Raysurfer Code Caching?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install raysurfer」即可一键安装,无需额外配置。
Raysurfer Code Caching 是免费的吗?
是的,Raysurfer Code Caching 完全免费(开源免费),可自由下载、安装和使用。
Raysurfer Code Caching 支持哪些平台?
Raysurfer Code Caching 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Raysurfer Code Caching?
由 ryx2(@ryx2)开发并维护,当前版本 v1.0.0。
推荐 Skills