← 返回 Skills 市场
2033
总下载
2
收藏
1
当前安装
4
版本数
在 OpenClaw 中安装
/install tardis
功能描述
Track elapsed time from a set epoch with tamper-evident locking. Like an analog Hobbs meter but digital. Use for tracking uptime, service hours, time since events, sobriety counters, project duration, equipment runtime. Supports create, lock (seal), check, verify against external hash, list, and export operations.
安全使用建议
What to consider before installing or running this skill:
- Review the code locally before executing. The repository contains runnable Python scripts (meter.py, sendgrid_webhook.py) and a helper shell script that can start background services. Do not run them without inspection.
- Be cautious with .env files: meter.py auto-loads ~/.env, /root/.env, and ./ . If you have sensitive secrets in those locations, the skill may read them into its process. Either remove unrelated secrets or run the skill in a sandboxed account/container.
- SendGrid and gateway tokens are optional but powerful. Only provide SENDGRID_API_KEY or OPENCLAW_GATEWAY_TOKEN if you trust the skill and understand the destination (SendGrid actions send email; gateway token allows sending messages via your OpenClaw gateway).
- If you plan to use the webhook server: prefer direct Discord webhooks over exposing an OpenClaw gateway token; enable SendGrid webhook signature verification (provide SENDGRID_WEBHOOK_PUBLIC_KEY and ensure the 'cryptography' dependency is available) to avoid spoofed events.
- The check-webhook-services.sh script references /root paths and will try to start cloudflared and the webhook server with nohup. Do not run that script as-is on shared or production hosts. Instead adapt paths, run under a non-root user, or manage services with a proper supervisor.
- The 'ACTION:' opt-in feature that can treat milestone message text as agent instructions is risky. Do not enable any agent behavior that executes remote message contents unless you fully trust the source and have strict sanitization/whitelisting.
- If you only need local time tracking, consider using meter.py without enabling email/webhook features, avoid running the webhook server, and keep witness files local (or opt for paper/photo backups).
If you want, I can point out the specific lines in meter.py or sendgrid_webhook.py that implement the .env auto-loading, webhook forwarding, and 'ACTION:' handling so you can review them more quickly.
功能分析
Type: OpenClaw Skill
Name: tardis
Version: 1.2.0
The skill is classified as suspicious due to the explicit 'ACTION: Triggers' feature documented in SKILL.md and README.md, which allows milestone messages from the plaintext `meters.json` file to be executed as agent instructions, creating a direct prompt injection vector if local file access is compromised. Additionally, the `scripts/check-webhook-services.sh` script actively starts a `cloudflared tunnel` to expose a local service to the public internet, a high-risk capability, and both Python scripts read environment variables from potentially sensitive locations like `/root/.env` and `~/.env`.
能力评估
Purpose & Capability
Core functionality (meter creation, locking, paper codes, verification, milestones) is implemented in meter.py and matches the description. Additional components — a SendGrid webhook server, cloud tunnel guidance, and a restart script — are related to milestone notification delivery but extend the skill into running networked services and system-level process management (e.g., cloudflared, nohup restart). That extra operational surface is plausible for notification features but is more than a minimal 'hour meter' and is environment-specific (references /root paths).
Instruction Scope
Runtime code auto-loads local .env files (~/.env, /root/.env, ./env) and exports them into the process; a helper script sources /root/.env. The SKILL.md and scripts instruct starting a webhook server, opening public tunnels (cloudflared/ngrok), and restarting services via nohup — all actions that access local files, open network endpoints, and create persistent background processes. The SKILL.md also documents an opt‑in feature where milestone messages prefixed with 'ACTION:' can be treated as agent instructions; if enabled this could allow remote message contents to influence agent behavior. These instructions go beyond simple local bookkeeping and increase risk.
Install Mechanism
There is no install spec (instruction-only skill) — no remote downloads or package installs are declared. This is lower risk from supply-chain perspective. However the skill expects or recommends external binaries (cloudflared, ngrok, cloud tunnel usage) and will try to run them via provided scripts if present. The included code files will write to user home paths when run (e.g., ~/.openclaw/), so running the scripts results in files on disk but nothing in the package fetches remote archives.
Credentials
The registry metadata declares no required env vars, but the code expects and will load many sensitive variables if present: SENDGRID_API_KEY, SENDGRID_WEBHOOK_PUBLIC_KEY, SENDGRID_FROM_EMAIL, OPENCLAW_GATEWAY_TOKEN, OPENCLAW_GATEWAY_URL, TARDIS_DISCORD_WEBHOOK, and METER_STORAGE / METER_WITNESS overrides. More concerning: meter.py will auto‑load and export values from ~/.env and /root/.env if SENDGRID_API_KEY is missing, which could unintentionally surface unrelated secrets. The skill asks no explicit justification for scanning /root/.env (not proportional to a simple local meter).
Persistence & Privilege
The skill does not set always:true, but it includes scripts that create persistent background services (nohup for webhook server and cloudflared tunnel) and a helper script to restart them. Those scripts assume particular filesystem locations (/root/.openclaw/workspace/skills/hour-meter) and may be intended to run by system cron/heartbeat. Running them gives the skill a persistent network presence and the ability to accept external events (SendGrid webhooks) and forward them via Discord or an OpenClaw gateway token. That increases the blast radius compared to a purely local CLI tool.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install tardis - 安装完成后,直接呼叫该 Skill 的名称或使用
/tardis触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.2.0
v1.2.0: Address security review - ACTION: triggers now opt-in with security docs, clarified .env loading and webhook behavior
v1.1.0
v1.1.0: TARDIS rebrand, unsubscribe links, webhook fixes
v1.0.1
v1.0.1: Updated documentation noting rename from hour-meter
v1.0.0
v1.0.0: Tamper-evident time tracking with milestone notifications. Like an analog Hobbs meter but digital.
元数据
常见问题
TARDIS 是什么?
Track elapsed time from a set epoch with tamper-evident locking. Like an analog Hobbs meter but digital. Use for tracking uptime, service hours, time since events, sobriety counters, project duration, equipment runtime. Supports create, lock (seal), check, verify against external hash, list, and export operations. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 2033 次。
如何安装 TARDIS?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install tardis」即可一键安装,无需额外配置。
TARDIS 是免费的吗?
是的,TARDIS 完全免费(开源免费),可自由下载、安装和使用。
TARDIS 支持哪些平台?
TARDIS 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 TARDIS?
由 rm289(@rm289)开发并维护,当前版本 v1.2.0。
推荐 Skills