← 返回 Skills 市场
325
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install sap
功能描述
Let your agent shop on Amazon with guardrailed wallets and owner approval.
安全使用建议
Key things to check before installing: 1) Confirm the publisher and listing metadata — the skill's displayed name/slug differ from the embedded CreditClaw content; ask the publisher why. 2) Verify creditclaw.com is a legitimate service you trust; the skill will use your CREDITCLAW_API_KEY to move money. 3) Understand file behavior: the instructions suggest downloading and saving files to ~/.creditclaw and saving owner-supplied encrypted card files that include a decrypt.js script. Only install if you trust the remote files and if the agent runtime can sandbox/auto-delete sub-agents and prevent script execution from untrusted files. 4) Avoid running the 'alternative' mode where the main agent executes decrypt steps (this would expose decrypted card data). 5) If you proceed, require manual human approval for any top-up or purchase and monitor owner/dashboard activity; consider keeping the API key in a secrets manager and restrict network access so the key is only used toward creditclaw.com. If you cannot validate the publisher or cannot guarantee sandboxing, do not install.
功能分析
Type: OpenClaw Skill
Name: sap
Version: 1.0.0
The skill bundle facilitates financial transactions for AI agents but introduces high-risk execution patterns. Specifically, 'encrypted-card.md' describes a flow where the agent receives a file via API (event 'rail5.card.delivered'), saves it locally, and is instructed to execute a script contained within that file ('node decrypt.js'). This 'remote code execution by design' pattern allows the server (creditclaw.com) to push and execute arbitrary logic on the agent's host. Additionally, 'skill.md' provides a 'curl | bash' style installation block for downloading and saving multiple markdown files, which is a risky supply-chain pattern.
能力评估
Purpose & Capability
The skill's files and SKILL.md consistently implement an agent shopping/financial capability against creditclaw.com using CREDITCLAW_API_KEY, which is proportionate. However the top-line name shown in the evaluation ('SAP Skills - Use SAP for procurement with your agent') and the registry slug ('sap') do not match the skill content (CreditClaw Amazon shopping). This mismatch between listing metadata and actual files is suspicious and should be explained by the publisher before trusting the package.
Instruction Scope
The runtime instructions tell the agent to call many CreditClaw API endpoints (expected) but also recommend downloading and saving multiple remote Markdown files into ~/.creditclaw/skills/amazon and saving owner-delivered encrypted card files into .creditclaw/cards. The encrypted-card flow explicitly instructs spawning ephemeral sub-agents to run a delivered decrypt.js script (contained in owner-supplied files) to decrypt card data and then execute checkout steps. Executing code delivered inside an encrypted card file (decrypt.js) is a real risk if the environment does not strictly sandbox sub-agents; the documentation relies on sub-agent isolation but also documents an alternative of running the steps in the main agent (which would expose decrypted card data).
Install Mechanism
No formal install spec (instruction-only) — lowest automated install risk. The SKILL.md suggests curl commands to fetch files from https://creditclaw.com; those URLs are consistent and not obscure, but they will write content to the user's home directory if followed. Downloading remote files and placing them under ~/.creditclaw is operationally normal for an instruction-only skill, but it is a persistence action initiated by the agent/user rather than a vetted package installation.
Credentials
Only CREDITCLAW_API_KEY is required and is the declared primary credential. That matches the described API usage and is proportionate for a payments/shopping integration. No other unrelated secrets or config paths are requested.
Persistence & Privilege
The skill does not request elevated platform privileges and is not always-enabled. It recommends storing skill files and owner-supplied card files under dot-directories (~/.creditclaw). Persisting those files is expected for the described flows but creates attack surface (saved decrypt scripts and encrypted card files). The skill instructs spawning ephemeral sub-agents; if your platform cannot enforce strict isolation and automatic deletion, the sub-agent pattern's security guarantees may not hold.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install sap - 安装完成后,直接呼叫该 Skill 的名称或使用
/sap触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
**Major update: introduces CreditClaw as a secure Amazon shopping solution for bots and agents.**
- Skill now named "creditclaw-amazon," version 2.3.0, with a new homepage and detailed API docs.
- Enables agents to shop on Amazon with strict spending guardrails, encrypted cards, and required owner approval.
- Adds support for multiple payment rails (Encrypted Card, Stripe Wallet/x402, coming soon: Crossmint Wallet).
- Outlines robust, layered security: API key handling, transaction approval modes, spending limits, and ephemeral agent design.
- Provides links and descriptions for individual documentation files covering setup, payments, and management.
- Instructions included for local or direct install and reading of skill files.
元数据
常见问题
SAP Skills - Use SAP for procurement with your agent 是什么?
Let your agent shop on Amazon with guardrailed wallets and owner approval. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 325 次。
如何安装 SAP Skills - Use SAP for procurement with your agent?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install sap」即可一键安装,无需额外配置。
SAP Skills - Use SAP for procurement with your agent 是免费的吗?
是的,SAP Skills - Use SAP for procurement with your agent 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
SAP Skills - Use SAP for procurement with your agent 支持哪些平台?
SAP Skills - Use SAP for procurement with your agent 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 SAP Skills - Use SAP for procurement with your agent?
由 jononovo(@jononovo)开发并维护,当前版本 v1.0.0。
推荐 Skills