← 返回 Skills 市场
354
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install remnawave-account-creator
功能描述
自动调用 Remnawave API 创建用户账号,获取订阅信息,并使用模板自动发送开通邮件,支持抄送和内部分组配置。
安全使用建议
This skill appears to implement what it claims (create Remnawave accounts and send onboarding emails) but there are several red flags you should address before installing: 1) The registry metadata claims no credentials are needed, yet the code and SKILL.md require a Remnawave API token and SMTP credentials — ask the author to declare required env vars (REMNAWAVE_API_TOKEN, SMTP credentials) and explain where they should be stored. 2) Review credential storage: the code reads tokens from both remnawave.json and ~/.openclaw/workspace/.env inconsistently — avoid committing credentials to repo and prefer a single secure location. 3) The docs recommend disabling SSL verification (sslRejectUnauthorized: false / verify=false) for self-signed certs — avoid enabling this in production; instead install proper certificates or run in an isolated environment. 4) Review any use of child_process.exec and search the code for exec() calls to ensure no user-supplied data is passed to the shell. 5) Verify the API host(s) and example external domains are legitimate for your org. If you are not comfortable auditing the code, run this skill only in a sandboxed environment and request the author to provide clearer metadata, a source repository/homepage, and a trimmed minimal installation guide that declares required secrets and secure defaults.
功能分析
Type: OpenClaw Skill
Name: remnawave-account-creator
Version: 1.2.0
The skill bundle provides a comprehensive suite for managing Remnawave VPN accounts, including creation, squad assignment, and email notifications. It is classified as suspicious due to several high-risk vulnerabilities: `create-account.js` and `log-creation.js` use `exec()` to call sub-scripts by concatenating unsanitized input into shell commands, which presents a significant shell injection risk. Furthermore, the configuration and multiple scripts (e.g., `check-prerequisites.js`, `create-account.js`) explicitly support bypassing SSL certificate verification (`sslRejectUnauthorized: false`). While the behavior appears aligned with the stated administrative purpose and lacks clear evidence of intentional malice, these flaws represent critical security risks in an automated agent environment.
能力评估
Purpose & Capability
The skill's stated purpose (create Remnawave users and send SMTP mail) matches the included scripts, but the registry metadata declares no required environment variables or primary credential while the code and SKILL.md clearly require an API token and SMTP credentials stored in user files (e.g. ~/.openclaw/workspace/.env and ~/.openclaw/workspace/config/*.json). That mismatch between declared requirements and actual needs is incoherent and surprising to users.
Instruction Scope
SKILL.md and the scripts instruct the agent to read local config files (~/.openclaw/workspace/config/remnawave.json, smtp.json, remnawave-squads.json and ~/.openclaw/workspace/.env) and to call internal API endpoints on an IP (https://8.212.8.43). The docs also suggest disabling SSL verification (sslRejectUnauthorized: false) and even capture of management-panel requests via browser devtools — actions that expand scope and weaken security. Those behaviors are related to the task but include risky guidance and broaden what the skill will access.
Install Mechanism
There is no install spec (instruction-only), but the bundle contains many executable code files. That means installing the skill will place code on disk (no network downloads shown), which is fine, but the lack of an explicit install step combined with many scripts may surprise non-technical users. No external archives/unknown URLs are used in the provided files.
Credentials
The skill requires sensitive secrets (Remnawave API token and SMTP auth) in practice, yet the registry metadata lists no required env vars or primary credential. The code inconsistently reads credentials from different places (sometimes from remnawave.json.apiToken, sometimes from ~/.openclaw/workspace/.env REMNAWAVE_API_TOKEN), increasing the risk of accidental credential leakage or misconfiguration. SMTP credentials and API tokens are necessary for the stated purpose, but they should have been declared and the retrieval method should be consistent and secure.
Persistence & Privilege
The skill is not marked 'always: true' and is user-invocable (normal). disable-model-invocation is false (agent may invoke autonomously) which is the platform default — not flagged by itself. The skill does write/read config files in the user's workspace but does not request elevated system-wide privileges in the provided materials.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install remnawave-account-creator - 安装完成后,直接呼叫该 Skill 的名称或使用
/remnawave-account-creator触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.2.0
v1.2.0 - CI/CD 操作流建立:版本号管理机制、标准化操作流程、操作前后自动验证、邮件通知集成、日志归档规范
v1.1.0
修复 API 调用错误:1) 更新分组端点从 PUT /api/users/{uuid} 改为 PATCH /api/users 并传递完整用户数据 2) 分页参数从 page=1&limit=500 改为 page=0&size=200 3) 修复 callApi 响应解析 4) 添加完整 API 参考文档
v1.0.0
Initial release - Remnawave 账号创建 + 邮件发送自动化
元数据
常见问题
Remnawave Account Creator 是什么?
自动调用 Remnawave API 创建用户账号,获取订阅信息,并使用模板自动发送开通邮件,支持抄送和内部分组配置。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 354 次。
如何安装 Remnawave Account Creator?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install remnawave-account-creator」即可一键安装,无需额外配置。
Remnawave Account Creator 是免费的吗?
是的,Remnawave Account Creator 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Remnawave Account Creator 支持哪些平台?
Remnawave Account Creator 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Remnawave Account Creator?
由 uepuer(@uepuer)开发并维护,当前版本 v1.2.0。
推荐 Skills