← 返回 Skills 市场
sally-labs

Sally AI

作者 Sally Labs · GitHub ↗ · v1.0.4
cross-platform ⚠ suspicious
790
总下载
5
收藏
2
当前安装
5
版本数
在 OpenClaw 中安装
/install sally-ai
功能描述
Chat with Sally about metabolic health, blood sugar, A1C, nutrition, fasting, supplements, and lab results. Uses the Sally MCP server on Smithery with x402 m...
安全使用建议
This skill’s payment model (Smithery + x402) can be legitimate, but do not paste your wallet private key into a command or URL unless you fully trust Smithery and understand the risks. Command-line/private-key exposure can leak via shell history, process lists, CI logs, or backups. Before installing/use: (1) Confirm Smithery and the Sally MCP source code (the GitHub repo) are trustworthy and review how Smithery stores and uses keys. (2) Prefer safer signing options (smithery auth login, hardware wallet, remote signing, or ephemeral wallets) instead of embedding a raw private key. (3) If you must proceed, create a dedicated hot wallet with minimal funds as the skill advises and pin the smithery CLI to a specific, reviewed version instead of @latest. (4) Consider testing with an empty/low‑value wallet first and monitor chain transactions. If you are not comfortable with Smithery having custody of a private key, do not install or use this skill.
功能分析
Type: OpenClaw Skill Name: sally-ai Version: 1.0.4 The skill is classified as suspicious due to a significant security vulnerability in its setup instructions within `SKILL.md`. It explicitly instructs the user to provide their private key directly on the command line (`smithery mcp add ... privateKey=0xYOUR_PRIVATE_KEY`). While the documentation claims the key is stored encrypted in Smithery's cloud and Clawbot never sees it, passing a private key via command-line arguments is a critical security risk, as it can expose the key in shell history, process lists, or system logs. This constitutes a severe vulnerability, even if not indicative of intentional malicious exfiltration by the skill developer.
能力评估
Purpose & Capability
Requiring the smithery CLI and an x402 wallet is consistent with the skill's stated micropayment-based design for a paid chat service. Asking the user to register an MCP endpoint with Smithery aligns with that purpose. However, the way the private key is delivered (embedded in the mcp add URL/command) is not a necessary or standard practice for a chat-only skill and raises concerns.
Instruction Scope
SKILL.md explicitly instructs users to include their wallet private key in the smithery mcp add command (as a URL query parameter). That exposes the private key to shell history, process listings, and possibly logs. The README claims 'Clawbot never sees your private key' and that Smithery stores it encrypted, but the instructions grant Smithery full custody of the private key — this is broader scope than a typical chat skill and is a sensitive, high-risk action.
Install Mechanism
Install uses npm formula @smithery/cli@latest to create the smithery binary. Installing a CLI from the npm registry is a common pattern (moderate risk). Using the @latest tag is convenient but less reproducible and could introduce unexpected updates; no obscure download URLs are present.
Credentials
The skill declares no required env vars, yet the runtime instructions require you to hand over a private key to an external service. Requesting a wallet private key (sensitive credential) is disproportionate for a chat skill unless the payment design truly requires key custody. The documentation does not offer safer alternatives (e.g., local signing, hardware wallet, remote signing via OAuth) and exposes the key in command-line form.
Persistence & Privilege
The skill is not always-enabled, requests no config paths, and does not ask to modify other skills. It does rely on a third-party cloud (Smithery) to store keys, but the skill itself does not request elevated persistent platform privileges.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install sally-ai
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /sally-ai 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.4
- Updated setup instructions to require users to add their own dedicated wallet private key to Smithery for x402 micropayments - Clarified that Clawbot never sees the user's private key; it is stored encrypted in Smithery's cloud only - Expanded security and privacy sections with connection details, best practices for wallet usage, and data flow diagrams - Adjusted description and homepage formatting for clarity and accuracy - Removed references to pre-configured payment; setup now requires explicit wallet provisioning by user
v1.0.3
- Updated setup instructions to reference Option C from the Sally MCP documentation; simplified and removed private key handling steps. - Clarified that all payments are handled automatically by Smithery—users should not initiate payments or share private keys. - Added Traditional Chinese Medicine (TCM) for metabolic health to the skill’s scope. - Enhanced and simplified security and privacy explanations, emphasizing background payment management. - Added a .gitignore file.
v1.0.2
- Updated setup instructions: Smithery now stores the wallet private key in encrypted cloud storage instead of locally. - Improved security messaging: Emphasized that Clawbot never accesses your private key and explained the new storage flow. - Clarified wallet usage recommendations and best practices. - Expanded setup and verification steps for clearer onboarding. - Streamlined and clarified sections on data flow and the x402 protocol.
v1.0.1
Added Security & Privacy section addressing OpenClaw security scanner concerns. No functional changes.
v1.0.0
Initial release — metabolic health AI via Sally MCP on Smithery with x402
元数据
Slug sally-ai
版本 1.0.4
许可证
累计安装 2
当前安装数 2
历史版本数 5
常见问题

Sally AI 是什么?

Chat with Sally about metabolic health, blood sugar, A1C, nutrition, fasting, supplements, and lab results. Uses the Sally MCP server on Smithery with x402 m... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 790 次。

如何安装 Sally AI?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install sally-ai」即可一键安装,无需额外配置。

Sally AI 是免费的吗?

是的,Sally AI 完全免费(开源免费),可自由下载、安装和使用。

Sally AI 支持哪些平台?

Sally AI 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Sally AI?

由 Sally Labs(@sally-labs)开发并维护,当前版本 v1.0.4。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论