← 返回 Skills 市场
roarday

shixinchao

作者 RoarDay · GitHub ↗ · v1.0.1 · MIT-0
cross-platform ⚠ suspicious
86
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install shixinchao
功能描述
测试-史新超
安全使用建议
This skill is suspiciously inconsistent rather than overtly malicious. Before installing or providing secrets: (1) Do not provide your real API key yet — the registry metadata does not declare API_KEY. (2) Inspect and fix the code: program.py currently sets api_key = "" instead of reading os.environ['API_KEY'] (or similar), so authentication will fail or send an empty bearer token. (3) Confirm streaming behavior: requests.post is called with stream=False while the code iterates response.iter_lines() expecting SSE; change to stream=True and handle SSE properly. (4) Remember that user questions (potentially sensitive) will be sent to the external domain developer.jointpilot.com; only use a scoped/test key and review the remote service's privacy policies. (5) If you are not the developer, ask the publisher to (a) update the registry metadata to declare API_KEY as required, (b) correct program.py to read the env var and handle streaming, and (c) document what data is sent to the external API. If these issues are not resolved, treat the skill as untrusted.
功能分析
Type: OpenClaw Skill Name: shixinchao Version: 1.0.1 The skill bundle is a test implementation for interacting with the JointPilot AI API (developer.jointpilot.com). While the Python script (scripts/program.py) contains a functional bug where it fails to actually retrieve the API_KEY from the environment as described in SKILL.md, the code logic is limited to standard API request handling and SSE stream parsing. There is no evidence of data exfiltration, malicious execution, or prompt injection.
能力标签
requires-oauth-token
能力评估
Purpose & Capability
The SKILL.md and scripts indicate the skill is a thin client for the jointpilot async_chat API (Q&A/streaming). That purpose is reasonable for the declared functionality. However, the registry metadata lists no required environment variables while SKILL.md declares an API_KEY is required — a clear mismatch between what the skill says it needs and what the registry requests. This inconsistency suggests the package was not packaged correctly.
Instruction Scope
SKILL.md instructs the agent to call scripts/program.py and to read API_KEY from the environment, and it references an external endpoint (https://developer.jointpilot.com/...). Those instructions are within scope for a remote Q&A skill. The problem: the included script does not actually read the API_KEY from the environment (it sets api_key = ""), and the script calls requests.post with stream=False while parsing SSE lines — another implementation mismatch. These instruction/code inconsistencies mean the runtime behavior will not match the documented behavior and could leak or fail in unexpected ways.
Install Mechanism
No install spec is provided (instruction-only with a bundled script). This is low risk from an installation perspective because nothing arbitrary is downloaded at install time.
Credentials
SKILL.md requires a single sensitive env var (API_KEY) for bearer authentication to the external API — that is proportionate to the skill's purpose. However, the skill registry does not declare this required env var, and the program.py currently does not read the env var. The mismatch means user's API key may not be used as intended (or may be accidentally omitted), and the registry failing to declare the secret makes it easy to miss during review.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges. Autonomous invocation is allowed (the platform default), which is normal for skills. No modifications to other skills or global agent settings are present.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install shixinchao
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /shixinchao 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
- Skill 名称与描述由“shixinchao”更新为“测试-史新超” - 其余功能和依赖保持不变
v1.0.0
Initial release of shixinchao skill. - Adds intelligent Q&A, context understanding, and streaming output capabilities. - Automatically triggers on user questions. - Requires Python dependency: requests==2.31.0. - Needs environment variable API_KEY for API calls. - Provides standard script integration for seamless API interaction.
元数据
Slug shixinchao
版本 1.0.1
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 2
常见问题

shixinchao 是什么?

测试-史新超. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 86 次。

如何安装 shixinchao?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install shixinchao」即可一键安装,无需额外配置。

shixinchao 是免费的吗?

是的,shixinchao 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

shixinchao 支持哪些平台?

shixinchao 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 shixinchao?

由 RoarDay(@roarday)开发并维护,当前版本 v1.0.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论