← 返回 Skills 市场
148
总下载
1
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install reah-agent-card
功能描述
Retrieve masked card info from Reah using an access key. Handles session generation, secure fetch, and decryption for agents automatically.
安全使用建议
This skill appears to implement the described Reah card access flow and keeps network activity constrained to agents.reah.com, but there are a few things to verify before installing:
- Confirm provenance: the registry lists the source as unknown and SKILL.md/README point to a GitHub install; verify the skill's origin (official Reah repo) before adding it to an agent that will handle card keys.
- Metadata mismatch: SKILL.md requires REAH_AGENT_KEYS but the registry metadata you saw did not declare this — ask the publisher to correct the manifest so required env vars are explicit.
- Review the confirmation flow: SKILL.md requires an explicit per-read confirmation for REAH_AGENT_KEYS. Ensure your agent platform actually prompts and prevents silent env reads.
- Least privilege: store REAH_AGENT_KEYS only where necessary, rotate keys regularly as advised, and prefer short-lived keys if Reah supports them.
- Code audit: the included Node example decrypts sensitive material in memory (but doesn't print it). If you plan to enable autonomous use, audit how the agent will use decrypted values and ensure it will only return masked/redacted card parts as specified.
If you cannot verify the skill's source or guarantee the per-read confirmation behavior, treat this skill as higher risk and avoid installing it in environments with real card keys.
功能分析
Type: OpenClaw Skill
Name: reah-agent-card
Version: 1.0.3
The skill bundle is a legitimate integration for the Reah platform, allowing an AI agent to securely retrieve virtual card information. It features robust security controls, including mandatory manual user confirmation for every access key read, strict masking/redaction requirements for card data in user-facing responses, and a hardcoded GraphQL endpoint (https://agents.reah.com/graphql) to prevent redirection. The accompanying Node.js script (get-card-info-example.mjs) implements a secure end-to-end encryption flow using RSA-OAEP for session establishment and AES-GCM for data decryption, with no evidence of unauthorized data exfiltration or malicious intent.
能力标签
能力评估
Purpose & Capability
The skill claims to retrieve masked card info from Reah and the included Node example implements a GraphQL call to https://agents.reah.com/graphql and local decryption — this is coherent with the description. However the package/registry metadata provided to the evaluator omits the REAH_AGENT_KEYS env var that the SKILL.md and README clearly require, creating an inconsistency between declared requirements and the runtime instructions.
Instruction Scope
SKILL.md limits network calls to the single Reah GraphQL endpoint, requires explicit user confirmation before reading REAH_AGENT_KEYS, and mandates masking/no-export of raw PAN/CVC. The example Node script enforces endpoint immutability and does the decryption locally. That scope is appropriate for the stated goal. Caveat: the example decrypts values in memory but does not show or save them — enforcement of masking/never-exposing card data is purely procedural (instructions), not enforced across the skill surface.
Install Mechanism
This is an instruction-only skill with an included reference script; there is no install spec that downloads remote artifacts. README suggests an npx install from a GitHub repo, but no install spec in the registry package. No remote download URLs or installers were found in the provided files.
Credentials
The skill expects sensitive REAH_AGENT_KEYS to be available (and the SKILL.md metadata lists REAH_AGENT_KEYS). That is proportionate to the function, but the registry metadata earlier reported 'Required env vars: none' — this mismatch is concerning. Also the README instructs adding a JSON mapping to REAH_AGENT_KEYS in agent env. Ensure the skill will only read keys after explicit per-read confirmation as required by SKILL.md and that the agent/platform enforces that confirmation flow rather than silently reading environment variables.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system settings, and has normal invocation privileges. Nothing requests elevated or permanent system presence.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install reah-agent-card - 安装完成后,直接呼叫该 Skill 的名称或使用
/reah-agent-card触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.3
Added support for secure environment variable access for Reah agent keys.
v1.0.2
- License file added.
v1.0.1
- Replaces previous PAN/CVV retrieval scripts with new "get-card-info" flow.
- Adds stricter security: endpoint is hardcoded, no auth/cookie/header overrides allowed.
- Updates script and filenames to use "card info" terminology (get-card-info.mjs, etc).
- User-facing output now always masks part A of card info and redacts part B.
- Documentation (SKILL.md) reflects new command, output format, and security rules.
v1.0.0
Initial release of Reah Skill
- Secure retrieval of card PAN and CVV using access key
- Automatic session generation and encryption handling
- Integrated with Reah GraphQL API
- CLI tools for agent-based workflows
元数据
常见问题
Reah Skill: Agent Card 是什么?
Retrieve masked card info from Reah using an access key. Handles session generation, secure fetch, and decryption for agents automatically. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 148 次。
如何安装 Reah Skill: Agent Card?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install reah-agent-card」即可一键安装,无需额外配置。
Reah Skill: Agent Card 是免费的吗?
是的,Reah Skill: Agent Card 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Reah Skill: Agent Card 支持哪些平台?
Reah Skill: Agent Card 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Reah Skill: Agent Card?
由 axelzou(@axelzou)开发并维护,当前版本 v1.0.3。
推荐 Skills