← 返回 Skills 市场
smarcombes

Secure API Calls

作者 Séverin MARCOMBES · GitHub ↗ · v1.0.3
cross-platform ⚠ suspicious
2715
总下载
4
收藏
14
当前安装
4
版本数
在 OpenClaw 中安装
/install secure-api-calls
功能描述
Call any API without leaking credentials. Keychains proxies requests and injects real tokens server-side — your agent never sees them.
安全使用建议
This skill appears internally consistent: it installs the Keychains CLI via npm and instructs the agent to route API calls through keychains.dev using placeholder tokens. Before installing, verify you trust the Keychains service and the npm package maintainer (review the package source, maintainers, and recent versions). Understand that the CLI will create a local keypair (~/.keychains/) and that full request metadata (URL, headers, body) will be proxied to keychains.dev — only placeholders are meant to contain secrets, but accidental inclusion of real secrets in other parts of a request would expose them to the proxy. If you require higher assurance, review the keychains npm package code, audit network traffic during a test run, pin the package version, and confirm the Keychains privacy/security documentation and ownership. Also note user-invocable:false and that autonomous model invocation is allowed by default — if you do not want an agent to call this skill without explicit user action, disable model invocation or avoid installing the skill.
功能分析
Type: OpenClaw Skill Name: secure-api-calls Version: 1.0.3 The skill is classified as suspicious due to its reliance on installing a global npm package (`[email protected]`) and the local generation of an Ed25519 SSH keypair in `~/.keychains/` by the `keychains` CLI, as detailed in `SKILL.md`. While the skill's stated purpose is to enhance security by abstracting credentials via a proxy service (`keychains.dev`), these operations introduce significant supply chain risks and trust requirements. If the `keychains` package or the `keychains.dev` service were compromised, it could lead to unauthorized access or credential leakage, despite the skill's explicit claims of security and privacy.
能力评估
Purpose & Capability
Name/description, required binary ('keychains'), and the npm install step all align: the skill is a wrapper around the Keychains CLI/SDK to proxy credentials server-side. There are no unrelated binaries or environment variables requested.
Instruction Scope
SKILL.md confines actions to installing/using the keychains CLI/SDK and instructs the agent to send requests through keychains.dev (using placeholders like {{OAUTH2_ACCESS_TOKEN}}). This is consistent with the stated purpose. It does, however, direct the tool to create local machine keys (~/.keychains/) and route full request metadata (URL, headers, body) via keychains.dev — meaning request payloads are sent to a third-party proxy. This is expected for the service but worth explicit user trust consideration.
Install Mechanism
Install uses npm ([email protected]) to create a 'keychains' binary. npm is an expected distribution mechanism for a CLI/SDK; no arbitrary download URLs or extract steps are used. Installing globally requires write permissions and will add a binary to the system PATH.
Credentials
The skill declares no required environment variables or external credentials, which is coherent because Keychains uses placeholders and a remote vault. The skill will generate local keys (~/.keychains) for machine auth; that is proportionate to the stated SSH challenge-response authentication mechanism.
Persistence & Privilege
The skill does not request always:true and does not ask for extra system privileges, but it will create persistent local state (~/.keychains/) and communicates with an external proxy service. Autonomous model invocation remains enabled (default), so an agent could call this skill to proxy requests; consider the privacy/trust implications of allowing autonomous calls that send request bodies to keychains.dev.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install secure-api-calls
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /secure-api-calls 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.3
- SKILL.md significantly updated for clarity, conciseness, and easier onboarding. - Audience refocus: emphasizes agent and end-user security, user control, and setup simplicity. - Adds quick start, usage, troubleshooting, and explicit security sections. - Highlights install command, service requirements, and provider compatibility. - Updates metadata for improved integration and discoverability. - Removes older SKILL.md sections now superseded by new structured documentation.
v1.0.2
- Updated CLI usage: now recommends installing the CLI globally with `npm install -g [email protected]` and using the `keychains` command instead of `npx -y [email protected]`. - Updated environment variable instructions: `KEYCHAINS_TOKEN` should be minted using `keychains token` instead of the previous `npx` command. - Added links to source code, privacy policy, and terms of service in the metadata. - Documentation improvements for clarity and up-to-date examples.
v1.0.1
- Added detailed metadata fields: homepage, security info, installs, env variables, config paths, and explicit permissions. - CLI and SDK install commands updated to pin version to 0.0.13 for security - Environment variable usage clarified for KEYCHAINS_TOKEN, especially for SDKs. - Explicit config file paths and their purposes listed for better transparency. - Permissions and network access explicitly documented. - No changes to core functionality or usage instructions.
v1.0.0
- Initial release of Secure API Calls skill. - Enables calling any API without exposing credentials. - Uses Keychains.dev as a trusted proxy to inject OAuth/API keys server-side. - Supports CLI, TypeScript (Machine & Client SDKs), and Python. - Credentials are never accessible by the agent; users remain in control and can revoke access at any time. - Compatible with 5,500+ API providers.
元数据
Slug secure-api-calls
版本 1.0.3
许可证
累计安装 15
当前安装数 14
历史版本数 4
常见问题

Secure API Calls 是什么?

Call any API without leaking credentials. Keychains proxies requests and injects real tokens server-side — your agent never sees them. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 2715 次。

如何安装 Secure API Calls?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install secure-api-calls」即可一键安装,无需额外配置。

Secure API Calls 是免费的吗?

是的,Secure API Calls 完全免费(开源免费),可自由下载、安装和使用。

Secure API Calls 支持哪些平台?

Secure API Calls 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Secure API Calls?

由 Séverin MARCOMBES(@smarcombes)开发并维护,当前版本 v1.0.3。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论