← 返回 Skills 市场
lijinhongucl-pixel

专为百度秒哒应用打造的SecondMe OAuth2登录和API集成工具,完成Connect to SecondMe OAuth2接入

作者 Socialite UCL LJH · GitHub ↗ · v1.0.2 · MIT-0
cross-platform ✓ 安全检测通过
103
总下载
1
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install secondme-connect-miaoda
功能描述
SecondMe Connect - 数字分身集成器。让百度秒哒应用轻松接入SecondMe生态,一键实现OAuth2登录和完整API调用。3步完成集成,开箱即用。
安全使用建议
This package is coherent for its stated goal, but follow these safety checks before deploying: - Treat SUPABASE_SERVICE_ROLE_KEY and SECONDME_CLIENT_SECRET as highly sensitive: configure them only in server/Edge Function secrets (e.g., supabase secrets), never commit to source or expose to the frontend. - Rigorously test Row-Level Security (RLS) in your Supabase project: authenticate as different users and confirm SELECT/UPDATE only returns each user's own profile row. If RLS is misconfigured, stored access_tokens could be exposed. - Consider whether the frontend truly needs direct access to the raw SecondMe access_token. If possible, proxy API calls through the Edge Function (server-side) to avoid giving tokens to client code. - Configure ALLOWED_ORIGINS strictly (do not use '*'). Verify the getAllowedOrigins/CORS implementation behaves as you expect in your deployment environment. - Review Edge Function logs and the token-exchange endpoint usage (https://api.mindverse.com...) to ensure tokens are obtained and stored exactly as intended; confirm that the skill is calling the official SecondMe endpoints for your integration. - The registry metadata had a formatting bug for the env listing — rely on SKILL.md and the template files to understand required env vars. - Perform a light code review of the Edge Function's use of supabase.admin APIs (listUsers/createUser/generateLink) and ensure it matches your Supabase plan/ACLs and that magic-link behavior meets your security requirements (token lifetime, revocation). If you are not comfortable managing high-privilege keys or verifying RLS/CORS yourself, involve a developer or security engineer before deploying to production.
功能分析
Type: OpenClaw Skill Name: secondme-connect-miaoda Version: 1.0.2 The skill bundle provides a legitimate OAuth2 integration for the SecondMe ecosystem into Supabase-based applications. It implements standard security practices, including CSRF protection using state parameters in 'LoginButton.tsx', whitelist-based CORS validation in the 'secondme-oauth-callback' Edge Function, and Row Level Security (RLS) for protecting user tokens in 'profiles.sql'. The documentation in 'SKILL.md' and 'INTEGRATION.md' explicitly highlights the risks of high-privilege keys (SUPABASE_SERVICE_ROLE_KEY) and provides clear instructions on secure configuration. No evidence of intentional malice, data exfiltration, or unauthorized execution was found.
能力标签
requires-oauth-token
能力评估
Purpose & Capability
The name/description (SecondMe OAuth2 + API integration for 百度秒哒 apps) match the included templates and runtime instructions: front-end React components, a Supabase-backed profiles table, and an Edge Function that exchanges code for tokens and creates/updates Supabase users. The required binaries (node, npm) and the requested env vars (Supabase URLs/keys, SecondMe client id/secret, redirect URIs, ALLOWED_ORIGINS) are appropriate and expected for this purpose.
Instruction Scope
SKILL.md and the Edge Function code stay within the stated purpose: they perform OAuth code->token exchange, persist tokens to the profiles table, and generate a magic link for sign-in. One notable design choice: user access_tokens are stored in profiles.secondme_access_token and the front-end is allowed to read the user's own token (protected by RLS). This is an explicit tradeoff (direct client calls to SecondMe) and increases risk if RLS is misconfigured — the docs repeatedly warn about this and instruct testing, but the deployment must carefully validate RLS and CORS.
Install Mechanism
There is no remote install/download step; this is an instruction-only/template package containing source files for developers to copy into their project. No external arbitrary archives or network-based installers are pulled by the skill itself.
Credentials
The skill requests multiple secrets (SUPABASE_SERVICE_ROLE_KEY, SECONDME_CLIENT_SECRET) which are high-privilege but necessary for the Edge Function to create/update Supabase users and perform server-side token exchanges. The number of env vars is justified by the architecture, but operational caution is required: the service role key must be kept secret and only put into server/Edge Function environment (not in repos or frontend). Also note the manifest bit in the registry showed 'Required env vars: [object Object]' (formatting bug) — rely on SKILL.md for the accurate list.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent settings. It needs no persistent elevated platform privileges beyond the expected use of a Supabase service key inside an Edge Function (which is declared and documented).
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install secondme-connect-miaoda
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /secondme-connect-miaoda 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
**v1.0.2** - 明确文档:详细说明 SecondMe access_token 存储于数据库,受 RLS 策略保护,前端可读取自身 token。 - 补充安全建议:新增 RLS 策略示例和验证步骤,提醒验证策略正确性。 - 更新 CORS 配置说明:强调必须限制 ALLOWED_ORIGINS,避免 token 泄露风险。 - 删除“无明文 access_token 返回”描述,与实际前端可读 token 行为保持一致。 - 响应安全审查,聚焦于 access_token 管理与安全防护的细节披露。
v1.0.1
# Changelog for secondme-connect-miaoda v1.0.1 - Added introductory documentation: `INTRODUCTION.md` file now included. - No changes to functionality; documentation addition only.
v1.0.0
secondme-connect-miaoda v1.0.0 - 首发版本,完整集成 SecondMe OAuth2 登录与 API 调用能力 - 提供 Edge Function 示例、前端 React 组件和数据库脚本 - 支持百度秒哒应用一键集成 SecondMe 登录和多种 API 功能(聊天、记忆、广场等) - 附带详细快速集成指南和故障排查文档
元数据
Slug secondme-connect-miaoda
版本 1.0.2
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 3
常见问题

专为百度秒哒应用打造的SecondMe OAuth2登录和API集成工具,完成Connect to SecondMe OAuth2接入 是什么?

SecondMe Connect - 数字分身集成器。让百度秒哒应用轻松接入SecondMe生态,一键实现OAuth2登录和完整API调用。3步完成集成,开箱即用。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 103 次。

如何安装 专为百度秒哒应用打造的SecondMe OAuth2登录和API集成工具,完成Connect to SecondMe OAuth2接入?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install secondme-connect-miaoda」即可一键安装,无需额外配置。

专为百度秒哒应用打造的SecondMe OAuth2登录和API集成工具,完成Connect to SecondMe OAuth2接入 是免费的吗?

是的,专为百度秒哒应用打造的SecondMe OAuth2登录和API集成工具,完成Connect to SecondMe OAuth2接入 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

专为百度秒哒应用打造的SecondMe OAuth2登录和API集成工具,完成Connect to SecondMe OAuth2接入 支持哪些平台?

专为百度秒哒应用打造的SecondMe OAuth2登录和API集成工具,完成Connect to SecondMe OAuth2接入 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 专为百度秒哒应用打造的SecondMe OAuth2登录和API集成工具,完成Connect to SecondMe OAuth2接入?

由 Socialite UCL LJH(@lijinhongucl-pixel)开发并维护,当前版本 v1.0.2。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论