← 返回 Skills 市场
809
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install strapi
功能描述
Manage Strapi CMS content through the official @strapi/client SDK. CRUD on collection types, single types, and media files. Upload files to media library. In...
安全使用建议
This skill appears coherent and implements a Strapi client CLI as claimed. Before installing: 1) Confirm the skill source/author (homepage is missing and owner ID is unknown). 2) Use a Strapi API token with the minimum permissions you need (prefer a read-only token if you only need inspection). 3) Be aware the skill runs local Node commands (npx tsx ...) and may cause npx to fetch dev tooling at runtime — run in an isolated environment or review package-lock.json first. 4) Schema-write and layout-write operations are destructive and should only be used on development/local instances (the docs already warn about this). 5) Ask the publisher to clarify the install metadata that claims to 'create' a node binary — it looks like a packaging/manifest inconsistency but not an indicator of malicious behavior.
功能分析
Type: OpenClaw Skill
Name: strapi
Version: 1.0.0
The skill is classified as suspicious due to several risky capabilities that could be exploited via prompt injection or malicious user input. Specifically, `src/handlers/files.ts` allows reading arbitrary local files (`readFileSync`) and downloading files from arbitrary URLs (`fetch`), then uploading their content to the configured Strapi instance. This creates a significant data exfiltration risk. Additionally, `src/index.ts` exposes a `fetch` domain that enables raw HTTP requests to any path on the `STRAPI_BASE_URL`, which could be abused for unauthorized actions or reconnaissance. While these capabilities align with the stated purpose of a comprehensive Strapi management tool, they represent high-risk attack surfaces without clear malicious intent within the skill's code itself.
能力评估
Purpose & Capability
Name/description match the code and handlers. Required env vars (STRAPI_API_TOKEN, STRAPI_BASE_URL) and the node runtime are appropriate and necessary for using @strapi/client. Declared permissions (network) and the documented capabilities (CRUD, media upload, schema introspection, i18n) align with the implementation.
Instruction Scope
SKILL.md and instructions.md direct the agent to run the local CLI wrapper (npx tsx src/index.ts) and to use only the declared environment variables. The instructions do not ask the agent to read unrelated system files or exfiltrate data to third-party endpoints. Raw fetch functionality is limited to Strapi endpoints (via the client).
Install Mechanism
The package is a normal Node skill (package.json depends on @strapi/client). No arbitrary external download URLs are used. However, the install spec in metadata is unusual: it lists an install item with kind 'node' and package '.' that declares it 'creates' a 'node' binary — that mapping is incoherent (you wouldn't install the Node runtime from the skill package). Also runtime usage expects 'tsx' (a devDependency) invoked via npx, which may cause npx to fetch packages at runtime. These are implementation/packaging oddities rather than indicators of malicious behavior, but worth confirming.
Credentials
Only two environment values are required: STRAPI_API_TOKEN (primary credential) and STRAPI_BASE_URL. Both are necessary and proportionate for accessing a Strapi API. There are no unrelated secrets requested.
Persistence & Privilege
Skill does not request always:true and does not declare any system-wide config changes. Its manifest and instructions operate within the skill's own directory and runtime; autonomous invocation is permitted (platform default) but not combined with elevated privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install strapi - 安装完成后,直接呼叫该 Skill 的名称或使用
/strapi触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release: Manage Strapi CMS content via the official @strapi/client SDK.
- Supports CRUD operations for collection types, single types, and media files.
- Enables schema introspection, form layout configuration, and draft/publish workflow.
- Manage users, roles, permissions, authentication, locales, and localized content.
- Upload files to the media library and handle translations/localization.
- Requires STRAPI_API_TOKEN and STRAPI_BASE_URL environment variables.
元数据
常见问题
Strapi CMS 是什么?
Manage Strapi CMS content through the official @strapi/client SDK. CRUD on collection types, single types, and media files. Upload files to media library. In... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 809 次。
如何安装 Strapi CMS?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install strapi」即可一键安装,无需额外配置。
Strapi CMS 是免费的吗?
是的,Strapi CMS 完全免费(开源免费),可自由下载、安装和使用。
Strapi CMS 支持哪些平台?
Strapi CMS 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Strapi CMS?
由 Ilya R.(@ilya-ryzhov)开发并维护,当前版本 v1.0.0。
推荐 Skills