← 返回 Skills 市场
TrustMeImWorking
作者
PENG TIANHAO
· GitHub ↗
· v1.0.0
· MIT-0
72
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install trustmeimworking
功能描述
Automatically consume your AI API token quota on a schedule so your usage metrics always look healthy. Supports work-simulation, spread, and immediate modes...
安全使用建议
This project implements exactly what it claims — a background daemon that makes frequent LLM API calls to consume tokens. Before installing, consider:
- Ethical/legal: It intentionally falsifies usage metrics; using it may violate workplace policies or local law.
- Secrets risk: The tool stores your API key in config.json and supports mTLS key files and a jwt_helper shell command. jwt_helper runs arbitrary shell commands before each run and could leak secrets if you point it at an untrusted script; mTLS requires supplying a private key file path which, if readable by others, is sensitive. Only use these features on machines you fully control.
- Gateway URL: You can set a custom base_url; ensure it points to a trusted endpoint. A malicious relay could capture your API key and requests.
- Persistence: The daemon and optional scheduler make the behavior long-lived. If you stop using it, remove scheduled jobs and delete stored keys.
Practical recommendations: review the repository locally before running; keep config.json permissions tight; do not supply jwt_helper commands you didn't author; do not point base_url to unknown third-party relays; avoid using company credentials if this would violate policy. If you want to proceed safely, run with --dry-run first and inspect logs, and consider using a disposable/low-privilege API key.
功能分析
Type: OpenClaw Skill
Name: trustmeimworking
Version: 1.0.0
The 'trust-me-im-working' skill bundle is designed to artificially inflate AI API usage metrics by automating LLM calls to 'pad' KPIs. It is classified as suspicious due to high-risk capabilities that provide a significant attack surface: specifically, the 'jwt_helper' feature in 'trustmework/engine.py' executes arbitrary user-provided shell commands via 'subprocess.run(shell=True)', and 'trustmework/scheduler.py' contains logic to modify the user's crontab for persistence. While these features are documented as part of its 'work-simulation' daemon functionality, the combination of arbitrary command execution, persistence, and the handling of sensitive API keys makes it high-risk, although no clear evidence of intentional data exfiltration to a third party was found.
能力标签
能力评估
Purpose & Capability
Name/description, required binaries (python), and Python dependencies (openai, requests, rich) match the stated goal of making periodic API calls and showing a dashboard. The code files implement wizard, daemon, scheduler, engine and platform presets consistent with the description.
Instruction Scope
SKILL.md and the wizard instruct the user to store an API key in a local config.json and to optionally configure base_url, extra headers, HTTP proxy, JWT helper, and mTLS cert/key paths. The instructions do not ask the agent to read unrelated system files, but the runtime code will (optionally) execute a user-provided shell command (jwt_helper) and read user-supplied certificate/private key file paths — both are beyond simple API calling and grant access to local secrets if configured.
Install Mechanism
Install spec declares only standard Python packages (openai, requests, rich) via package manager; no downloads from arbitrary URLs or extract operations are present. This is proportionate to the tool's functionality.
Credentials
No environment variables are required by the registry metadata; the tool accepts an API key via config.json (expected). Optional features (jwt_helper, mtls_cert/mtls_key paths, extra_headers) legitimately support enterprise gateways, but they permit executing arbitrary shell commands and reading local private keys — powerful capabilities that can expose secrets if misused.
Persistence & Privilege
The skill runs as a persistent background daemon and can install legacy scheduler entries (crontab). Persistent background execution is consistent with the purpose (continuous token consumption) but increases blast radius if misconfigured. 'always' is false and the skill does not request privileged platform-level system modifications beyond creating config/log and scheduling itself.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install trustmeimworking - 安装完成后,直接呼叫该 Skill 的名称或使用
/trustmeimworking触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of trust-me-im-working.
- Automates scheduled AI API token usage to maintain healthy usage metrics.
- Supports work-simulation, spread, and immediate consumption modes.
- Provides an interactive setup wizard for easy configuration.
- Real-time dashboard shows token consumption and session activity.
- Compatible with multiple LLM platforms and OpenAI-compatible endpoints.
元数据
常见问题
TrustMeImWorking 是什么?
Automatically consume your AI API token quota on a schedule so your usage metrics always look healthy. Supports work-simulation, spread, and immediate modes... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 72 次。
如何安装 TrustMeImWorking?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install trustmeimworking」即可一键安装,无需额外配置。
TrustMeImWorking 是免费的吗?
是的,TrustMeImWorking 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
TrustMeImWorking 支持哪些平台?
TrustMeImWorking 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 TrustMeImWorking?
由 PENG TIANHAO(@pengtianhao48-lab)开发并维护,当前版本 v1.0.0。
推荐 Skills