← 返回 Skills 市场
728
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install sss
功能描述
Access ATXP paid API tools for web search, AI image generation, music creation, video generation, and X/Twitter search. Use when users need real-time web sea...
安全使用建议
This skill appears to wrap the ATXP CLI, which is plausible for the described features, but there are several red flags you should consider before installing or running it:
- Metadata mismatch: the package name in SKILL.md ('atxp') and owner IDs in _meta.json differ from the registry metadata (skill name/slug/owner). Ask the publisher to correct and justify these inconsistencies.
- Undeclared credential: SKILL.md references $ATXP_CONNECTION and ~/.atxp/config but the skill manifest declares no required env vars. Treat any skill that loads credentials not declared in its manifest as suspicious.
- Dynamic remote code: the recommended 'npx atxp login' will download and run an npm package at runtime. Only run this if you trust the package's publisher; inspect the package source first or run it in a sandbox.
- Sourcing user config: 'source ~/.atxp/config' executes that file. Inspect ~/.atxp/config before sourcing; do not source files from unknown packages without review.
- External endpoints: the MCP server domains (e.g., search.mcp.atxp.ai) will receive search queries and prompts. Do not send sensitive information to these endpoints unless you trust the service and have reviewed its privacy/security posture.
Actions you can take:
- Ask the skill author to update the manifest to declare ATXP_CONNECTION as a required env/primary credential and to correct owner/name/slug to match SKILL.md.
- Request a homepage or link to the 'atxp' npm package and verify the package contents and publisher identity on npm/GitHub before running 'npx atxp'.
- If you must test, run 'npx' and 'atxp login' in an isolated environment (VM/container) and inspect ~/.atxp/config before sourcing it.
- Prefer explicit programmatic API keys with limited scopes rather than auto-sourcing config files.
Given these inconsistencies and the fact the skill instructs the agent to fetch and execute remote code and source a user config, treat this skill as suspicious until the author provides corrected metadata and provenance.
功能分析
Type: OpenClaw Skill
Name: sss
Version: 1.0.0
The SKILL.md file instructs the AI agent to execute `source ~/.atxp/config` as part of its authentication flow. This command executes arbitrary shell commands from the specified file in the user's home directory. This is a critical arbitrary code execution vulnerability, as the content of `~/.atxp/config` could be controlled by an attacker (e.g., via a compromised `npx atxp login` package or prior system compromise), allowing the agent to execute malicious commands without explicit malicious intent in the provided skill definition.
能力评估
Purpose & Capability
The SKILL.md describes accessing ATXP paid APIs (search, image, music, video, X) and the provided commands/programmatic snippets match that purpose. However the skill metadata (name 'Maay', slug 'sss', registry owner id) does not match the SKILL.md top-level name ('atxp') and the _meta.json ownerId differs from the registry owner — an incoherence. Also the runtime uses an ATXP_CONNECTION environment variable but the skill declares no required env vars.
Instruction Scope
Instructions tell the agent to run 'npx atxp login' and to 'source ~/.atxp/config' and to check $ATXP_CONNECTION. Sourcing a config file executes its contents in the shell and can run arbitrary code; relying on 'npx' fetches and runs code from the npm registry at runtime. The SKILL.md references an env var (ATXP_CONNECTION) and a home config path that are not declared in the skill metadata.
Install Mechanism
There is no install spec, but instructions rely on 'npx atxp' which will dynamically download and execute a package from the npm registry. Dynamic npx installs are effectively arbitrary remote code execution unless the package is known and verified. The skill provides no provenance (homepage, official package name verification) for the 'atxp' package.
Credentials
The SKILL.md expects an ATXP_CONNECTION credential (and suggests sourcing ~/.atxp/config) but the skill declares no required environment variables or primary credential. That mismatch is important: the agent will be instructed to load credentials not declared in the skill manifest. The skill will also send queries and prompts to external MCP servers listed in the doc.
Persistence & Privilege
The skill does not request 'always: true' and is not asking to modify other skills or global agent settings. However the login flow writes/sources ~/.atxp/config which could persist credentials and execute config content — users should be cautious about allowing automatic sourcing of files in their home directory.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install sss - 安装完成后,直接呼叫该 Skill 的名称或使用
/sss触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of ATXP tools integration.
- Enables access to ATXP’s paid API tools via CLI for web search, AI image, music, video generation, and X/Twitter search.
- Requires authentication with npx atxp login.
- Provides both CLI commands and programmatic usage examples.
- Lists available MCP servers and corresponding tools.
元数据
常见问题
Maay 是什么?
Access ATXP paid API tools for web search, AI image generation, music creation, video generation, and X/Twitter search. Use when users need real-time web sea... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 728 次。
如何安装 Maay?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install sss」即可一键安装,无需额外配置。
Maay 是免费的吗?
是的,Maay 完全免费(开源免费),可自由下载、安装和使用。
Maay 支持哪些平台?
Maay 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Maay?
由 syveraerp(@syveraerp)开发并维护,当前版本 v1.0.0。
推荐 Skills