← 返回 Skills 市场
some-test-skill-private
作者
ClawTip.team
· GitHub ↗
· v1.1.6
· MIT-0
166
总下载
0
收藏
0
当前安装
27
版本数
在 OpenClaw 中安装
/install some-test-skill-private
功能描述
为第三方技能执行 clawtip 支付交易。 仅在以下场景严格触发该工具:第三方服务发起了有效的 clawtip 支付请求、用户明确要求创建 clawtip 支付用户 token,或用户要求查看其 clawtip 钱包(无有效条件时严禁触发)。 当用户请求查看其 clawtip 钱包(例如"查看我的clawtip...
安全使用建议
This skill runs a pinned npm CLI (@hoshinoshita/[email protected]) via npx and makes network calls to npm/GitHub at runtime; that is expected for a CLI-based payment helper but means third‑party code will execute in your agent environment. Before installing, review the npm package repository and release (verify the source, maintainers, and any provenance/signatures if you rely on the IMPORTANT_STATEMENTS claims). Consider running the package in a restricted/sandboxed environment, and confirm your organization’s policy on executing npx packages. Note that payment URLs returned by the CLI may include short‑lived tokens; the skill instructs masking such tokens, but you should verify that your agent implementation enforces that masking and does not persist tokens to logs or external storage. If you cannot review the upstream CLI or restrict execution, treat this as higher risk and avoid enabling the skill.
功能分析
Type: OpenClaw Skill
Name: some-test-skill-private
Version: 1.1.6
The skill bundle facilitates payment transactions and wallet management via a specific NPM CLI tool (@hoshinoshita/[email protected]). The instructions in SKILL.md and IMPORTANT_STATEMENTS.md emphasize security best practices, such as human-in-the-loop (HITL) confirmation for all payments, masking sensitive tokens with '***' in logs, and explicitly forbidding the storage of private keys or the use of background polling. While it installs an external dependency, the bundle provides clear provenance claims and restricts the agent's scope to specific payment-related triggers, showing no signs of intentional malice or data exfiltration.
能力标签
能力评估
Purpose & Capability
The skill claims to perform Clawtip payment actions and its instructions install/run a payment CLI (@hoshinoshita/[email protected]) and parse its output. Requesting an npm package and using npx is coherent with a CLI-based payment integration.
Instruction Scope
SKILL.md confines actions to running npm view and npx commands for the pinned CLI, parsing stdout for payment/auth links, and showing links to the user with explicit human confirmation. That scope matches the stated purpose. Note: the skill parses and may display URLs that can contain short‑lived tokens; the doc instructs masking when showing raw logs, but parsing/displaying transient tokens is a sensitive operation the user should be aware of.
Install Mechanism
No code files are included; runtime relies on a specific npm package pulled via npx/npm. This is an expected install path for a CLI but is a moderate-risk operation because arbitrary third-party code from npm will be executed. The package name and a GitHub repo are provided in IMPORTANT_STATEMENTS but provenance claims are not independently verified here.
Credentials
The skill requests no environment variables, no config paths, and does not require unrelated credentials. That is proportionate for a payment CLI wrapper which receives order_no/indicator parameters from the caller rather than storing secrets.
Persistence & Privilege
always: false and no install scripts or persistent config changes are declared in SKILL.md. The skill does not ask to modify other skills or system settings. Model invocation is permitted (platform default) but the skill enforces human-in-the-loop confirmation for payment actions.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install some-test-skill-private - 安装完成后,直接呼叫该 Skill 的名称或使用
/some-test-skill-private触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.6
No code or documentation changes detected in this version.
- Version updated to 1.1.6 with no file or documentation modifications.
- No new features, bug fixes, or enhancements introduced.
v1.1.5
No file changes detected in this version.
- No updates or modifications were made to the skill in version 1.1.5.
- All functionality and documentation remain unchanged from the previous release.
v1.1.4
No file changes detected in this version.
- No changes were made to the skill's code or documentation.
- Functionality and instructions remain identical to the previous release.
v1.1.3
some-test-skill-private 1.1.3
- 增加了每会话环境与版本验证步骤:所有命令前先静默执行 `npm view @hoshinoshita/my-pay-test-cli version`,确保NPM源可用并锁定依赖版本。
- 所有 CLI 调用命令均显式加上 `npx --yes @hoshinoshita/[email protected]`,强化运行时依赖一致性与安全隔离。
- 明确规定所有授权、支付链接需用户手动确认,不允许自动轮询或主动读取私钥等敏感数据。
- 文档增加了执行边界与安全要求说明。
- 其他内容与处理流程未变。
v1.1.2
## some-test-skill-private 1.1.2
- No file changes detected in this version.
- No user-facing updates or modifications.
v1.1.1
some-test-skill-private v1.1.1
- 放宽依赖安装政策,不再强制使用 `--no-save --ignore-scripts`,仅要求 `--silent` 安装依赖。
- 移除对依赖包版本锁定、生命周期脚本防御、Egress 沙箱及人工安全壁垒等流程的详细说明。
- 精简网络/日志安全脱敏说明,仅建议异常时简写敏感 token。
- 保留原有支付、授权、注册及钱包流转指引,升级文档风格,提升可读性。
- 未对核心业务命令和主要流程做实质调整。
v1.1.0
some-test-skill-private v1.1.0
- 依赖由指定 Git commit 哈希锁定,切换为官方 npm 包版本 @hoshinoshita/[email protected]。
- 安装命令更新为采用 `--ignore-scripts`,显式禁用安装生命周期脚本,提升依赖拉取阶段安全防御。
- 调整前置条件说明,强调包版本锁定和静态解压安全边界。
- 明确声明 egress sandbox 隔离和“需要人类参与”原则,杜绝自动化资金风险。
- 其余技能使用、支付处理、token 和钱包相关规则未变。
v1.0.19
- 安全机制重大升级:依赖安装从 npm registry 切换为基于 GitHub 受控仓库的不可变哈希 commit,杜绝注册中心被篡改风险。
- 安装命令改为:`npm install git+https://github.com/hoshinoshita/my-pay-test-cli.git#82bcff0b597c0b74f4b9557b68b0bb81a32e102f --silent`,完全锁死依赖快照,满足严格合规。
- 明确说明本地 package.json 不再参与依赖决策,所有执行均基于核心 commit。
- 权限说明更新:CLI 包安装形式为 "github-verified",并补充对网络及凭证读取的强隔离和审计声明。
- 其余支付及业务流程保持原有一致性,未做变更。
v1.0.18
some-test-skill-private 1.0.18
- No file changes detected in this version.
- No functional, behavior, or documentation updates from the previous release.
v1.0.17
No changes detected in this version.
v1.0.16
No file changes detected in this release.
- This version does not introduce any updates or modifications.
- No differences found compared to the previous version.
v1.0.15
**changelog for version 1.0.15:**
- 改进依赖安全:将原本本地包依赖检查与本地路径安装,升级为全局 package-lock 哈希安全校验,统一使用 `npm ci --silent` 保证执行快照不可篡改。
- 明确文档说明:新增关于 SHA-512 完整性校验及 package-lock 验签的安全与隔离声明,强调“无验证不执行”原则。
- 保留其他技能流程、CLI 调用和脱敏防护机制不变。
v1.0.14
some-test-skill-private 1.0.14
- 强化依赖安装安全性,所有 CLI 依赖强制本地同源目录离线安装,彻底切断供应链投毒风险。
- 新增详细“极高安全声明”和“授权边界隔离声明”,说明本地CLI离线包的信任来源及访问范围限制。
- 明确要求异常日志输出前对 URL 中的 token、clawtipId 等敏感参数进行脱敏处理,防止隐私泄漏。
- 其他业务流程与处理步骤保持不变。
v1.0.13
some-test-skill-private 1.0.13
- 调整“创建用户支付 Token”与“查询用户注册状态”模块:删除与定时任务(cron / 任务名命名与取消机制)相关的说明与动作,只保留命令直接执行与结果反馈。
- 优化了“需要授权”场景的用户指引,直接提示扫码后口令回复,无定时主动轮询/查询注册状态逻辑。
- 其它功能与响应流程保持不变。
v1.0.12
some-test-skill-private 1.0.12
- CLI依赖安装命令增加明确版本:指定安装@hoshinoshita/[email protected]。
- 敏感数据处理策略微调:遇到网络异常或未知错误时必须原话回报CLI日志,方便用户排查。
- 其他技能逻辑未调整,保持原有支付、Token和钱包相关指令响应方案不变。
v1.0.11
No file changes detected for version 1.0.11.
- No updates or modifications made in this release.
- All functionality and documentation remain unchanged.
v1.0.10
v1.0.10
- 精简和规范了依赖声明、命令行参数与本地安装/校验策略。
- 简化了 `@hoshinoshita/my-pay-test-cli` 依赖要求,移除版本强校验(不再要求 `>1.0.0`)。
- 统一支付、授权、鉴权等流程术语与描述,所有处理协议流程结构更清晰直观。
- 取消复杂的 cron 定时任务脚本细节,以更简单的“定时轮询一次、上限5次”规范描述代替。
- 优化了通知与日志脱敏要求,进一步收敛用户暴露/日志暴露的敏感数据风险。
- 明确了钱包链接回复格式,更新说明文本,并修正多处中英文表述与示例一致性。
v1.0.9
**Summary:**
This version introduces enhanced version checks, detailed auditing, and user-approval flows for cron jobs, along with improved Chinese localization and more robust failure handling.
- Enforces local installation and integrity check for `@hoshinoshita/my-pay-test-cli` requiring version >1.0.0, aborts operation if version is too low.
- Adds strict audit log output for each CLI invocation, ensuring no sensitive data is logged.
- Requires explicit user approval before creating periodic ("cron") tasks to check registration status; provides clear instructions for permission and cancellation.
- Improves error handling and rollback logic for credential failures, making recovery options user-friendly and precise.
- Provides more detailed and user-oriented Chinese responses and flow clarifications throughout the payment, token, and wallet processes.
- Enhances command parameter validation, sensitive data masking, and stepwise branching for payment/peripheral flows.
v1.0.8
some-test-skill-private 1.0.8
- Added IMPORTANT_STATEMENTS.md to the project.
- No changes to code or logic; documentation update only.
v1.0.7
some-test-skill-private v1.0.7
- Removed the file IMPORTANT_STATEMENTS.md.
- No other changes detected in functionality or documentation.
元数据
常见问题
some-test-skill-private 是什么?
为第三方技能执行 clawtip 支付交易。 仅在以下场景严格触发该工具:第三方服务发起了有效的 clawtip 支付请求、用户明确要求创建 clawtip 支付用户 token,或用户要求查看其 clawtip 钱包(无有效条件时严禁触发)。 当用户请求查看其 clawtip 钱包(例如"查看我的clawtip... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 166 次。
如何安装 some-test-skill-private?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install some-test-skill-private」即可一键安装,无需额外配置。
some-test-skill-private 是免费的吗?
是的,some-test-skill-private 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
some-test-skill-private 支持哪些平台?
some-test-skill-private 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 some-test-skill-private?
由 ClawTip.team(@xingyeyouran)开发并维护,当前版本 v1.1.6。
推荐 Skills