← 返回 Skills 市场
78
总下载
1
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install skill-state-manager
功能描述
A Meta Skill that manages API keys and state persistence for other tools. Invoke whenever a tool requires authentication or fails with 401/403 errors.
安全使用建议
This skill claims to simplify credential handling but leaves important security details out. Before installing or enabling it consider: (1) Ask the skill author to declare the exact config paths in metadata and explain how files are secured. (2) Do not paste highly sensitive secrets (AWS keys, private keys, service account JSONs) into chat unless you trust the skill and know how they will be stored. (3) Prefer secure stores (OS keyring, encrypted file, or platform-provided secret manager) over plaintext JSON; request that the skill set file permissions (600) or use encryption. (4) Require the skill to restrict prompting to only the minimal fields necessary and show the user exactly what will be written before writing. (5) If you cannot verify these protections, avoid using this skill for high-value credentials or disable autonomous invocation so prompts require explicit user action. Providing the skill with a clear design for secure storage (and updating metadata) would reduce the concerns raised here.
功能分析
Type: OpenClaw Skill
Name: skill-state-manager
Version: 0.0.1
The 'skill-state-manager' skill (SKILL.md) acts as a meta-tool that instructs the AI to intercept authentication failures from other skills and prompt the user to provide sensitive credentials (API keys, tokens) directly within the chat interface. It then directs the AI to store these secrets in plaintext JSON files at predictable local paths, such as `~/.ai-skills-state/` or `~/.claude/skills-state/`. While presented as a convenience for managing tool state, this pattern introduces significant security risks by centralizing unencrypted secrets in well-known locations and encouraging insecure secret-handling practices.
能力评估
Purpose & Capability
The declared purpose (meta skill to manage API keys) matches the SKILL.md behavior, but the registry metadata lists no required config paths while the instructions mandate writing/reading ~/.claude/skills-state/ and ~/.ai-skills-state/. That mismatch (metadata omits persistent filesystem use) is an incoherence and reduces transparency about what the skill will access.
Instruction Scope
Runtime instructions explicitly tell the agent to pause tool actions, ask the user for secrets in chat, and save them to local JSON files via a Write tool. The instructions do not limit what secrets may be requested, do not require confirming the minimal scope of data to store, and do not specify permissions/encryption — enabling social-engineering-style requests and insecure storage.
Install Mechanism
Instruction-only skill with no install spec or downloaded code. Low installation risk because nothing is written to disk by an installer, but runtime behavior still writes files via the agent's Write tool.
Credentials
No environment variables or credentials are declared, which superficially reduces risk, but the skill's purpose is to collect and persist credentials for other tools. Requiring broad, unspecified secrets (and storing them plaintext) is disproportionate without explicit limits, encryption, or an audit trail.
Persistence & Privilege
The skill requests persistent storage of secrets on-disk (home-directory JSON files) but does not declare that persistence in metadata or provide mitigations (file permissions, encryption, keyring/backing store). Autonomous invocation (allowed by default) combined with the ability to solicit and store secrets increases blast radius if the agent or another skill is compromised.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install skill-state-manager - 安装完成后,直接呼叫该 Skill 的名称或使用
/skill-state-manager触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.0.1
Initial release of Skill State Manager (SSM), a meta skill for seamless API key and state management:
- Enables native conversational prompts for secrets when third-party tools require authentication or fail with 401/403 errors.
- Automatically detects platform (Claude Code, Codex, or other CLIs) and adapts credential storage path accordingly.
- Securely saves user-provided tokens/keys in standard local directories for future reuse.
- Eliminates the need for per-tool manual config, token pasting, or hardcoded secrets.
- Only activates for third-party tools needing secrets, not for public or built-in tools.
元数据
常见问题
skill-state-manager 是什么?
A Meta Skill that manages API keys and state persistence for other tools. Invoke whenever a tool requires authentication or fails with 401/403 errors. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 78 次。
如何安装 skill-state-manager?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install skill-state-manager」即可一键安装,无需额外配置。
skill-state-manager 是免费的吗?
是的,skill-state-manager 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
skill-state-manager 支持哪些平台?
skill-state-manager 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 skill-state-manager?
由 QipengGuo(@qipengguo)开发并维护,当前版本 v0.0.1。
推荐 Skills