← 返回 Skills 市场
95
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install sure-api
功能描述
Use the we-promise/sure REST API with X-Api-Key auth. Covers accounts, transactions, categories, tags, merchants, imports, holdings, trades, valuations, chat...
安全使用建议
This skill implements a legitimate-looking client for the Sure API, but there are actionable mismatches you should resolve before trusting it:
- The skill reads SURE_API_KEY and SURE_BASE_URL from /root/.openclaw/workspace/secure/api-fillin.env (and will use that API key for any request). The registry metadata does not declare these required secrets or the config path — ask the publisher to add them to the metadata so you can make an informed decision.
- The included low-level script (scripts/sure_api_request.sh) can call any API endpoint (including destructive ones like user delete/reset) using the stored API key. Prefer using the high-level CLI (which has --yes gates) and only run the raw request script when you understand the consequences.
- The self-update script downloads the OpenAPI YAML from raw.githubusercontent.com and regenerates the local summary. If you or an automated agent runs that update, remote changes to the upstream spec could alter which endpoints the skill exposes; only run updates from a trusted network/source.
- If you will allow autonomous invocation, consider the increased blast radius: an autonomous agent with access to the secure env file and permission to run the update or raw request script could issue arbitrary calls. If you are unsure, keep the skill user-invocable only and do not store the API key in a shared location.
Suggested actions before installing: request updated metadata listing required env vars and config path; verify the secure env file is isolated and accessible only to the skill owner; prefer manual invocation for any write or update operations; and audit the OpenAPI file and allowed endpoints for any destructive actions you don’t want the agent to perform.
能力评估
Purpose & Capability
The skill's name/description match the included code: a CLI, raw request wrapper, OpenAPI spec, and self-update flow for the Sure REST API. However the registry metadata claims no required env vars or config paths while the code and SKILL.md clearly expect SURE_BASE_URL and SURE_API_KEY to be read from /root/.openclaw/workspace/secure/api-fillin.env. The missing declaration of required secrets/config is an incoherence.
Instruction Scope
SKILL.md and the scripts limit actions to the official API and recommend a 'read -> dry-run -> confirm' pattern. Nevertheless the bundle includes sure_api_request.sh which will send arbitrary HTTP METHOD/PATH requests (including potentially destructive endpoints such as user delete/reset) using the stored API key. The self-update script fetches the OpenAPI spec from raw.githubusercontent.com and overwrites the local copy; if run automatically this could change agent behaviour. The instructions reference and access the secure env file path directly (not declared in metadata).
Install Mechanism
There is no install spec (instruction-only installation), so nothing is automatically written or installed at install time. The included sure_openapi_update.sh downloads an OpenAPI YAML from GitHub raw (a well-known host) when invoked; that download is expected for a self-update use case but it means remote content can change the skill's effective API surface when the update is run.
Credentials
The skill needs an API key and base URL (SURE_API_KEY, SURE_BASE_URL) stored in secure/api-fillin.env and the code reads /root/.openclaw/workspace/secure/api-fillin.env, but the package metadata lists no required env vars or config paths. Requiring secret access while not declaring it in metadata is disproportionate and reduces transparency. The requested secrets themselves (API key + base URL) are proportionate to the stated purpose if declared explicitly.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It can be invoked autonomously (default), which is normal; combine that with the earlier concerns (undeclared secrets + raw request capability + update-from-remote) if you plan to allow autonomous invocation.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install sure-api - 安装完成后,直接呼叫该 Skill 的名称或使用
/sure-api触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial public release with official Sure API URLs, self-update workflow, live acceptance, and ClawHub publish readiness.
元数据
常见问题
Sure API 是什么?
Use the we-promise/sure REST API with X-Api-Key auth. Covers accounts, transactions, categories, tags, merchants, imports, holdings, trades, valuations, chat... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 95 次。
如何安装 Sure API?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install sure-api」即可一键安装,无需额外配置。
Sure API 是免费的吗?
是的,Sure API 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Sure API 支持哪些平台?
Sure API 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Sure API?
由 ashanzzz(@ashanzzz)开发并维护,当前版本 v1.0.0。
推荐 Skills