← 返回 Skills 市场
ucmai

Ucm

作者 UCM.AI · GitHub ↗ · v1.1.1
cross-platform ⚠ suspicious
670
总下载
2
收藏
0
当前安装
8
版本数
在 OpenClaw 中安装
/install ucm
功能描述
Provides API marketplace access for AI agents. Discovers and calls external capabilities including web search, image generation, code execution, text-to-spee...
安全使用建议
This skill appears internally consistent with an API marketplace aggregator, but consider the following before installing: (1) network access is required and calls to the marketplace will transmit request data and parameters off‑device — avoid sending sensitive secrets or private data to the service. (2) The registration script saves your API key to ~/.config/ucm/credentials.json and prints it to stdout; treat the key like any API secret and secure that file. (3) Calls to UCM are paid per endpoint — review pricing and quotas to avoid unexpected charges. (4) Verify the service (https://ucm.ai and registry.ucm.ai) and its privacy/policy terms if you plan to send user data. (5) If you need stronger local security, avoid using the registration helper and instead manage the key manually in a secure keystore.
功能分析
Type: OpenClaw Skill Name: ucm Version: 1.1.1 The skill bundle is classified as suspicious due to its explicit provision of high-risk capabilities, notably `ucm/code-sandbox` for executing arbitrary code (Python/JS/Bash/R/Java) in a sandboxed environment, `ucm/web-scrape` for extracting webpage content, and `ucm/email` for sending emails. While these services are documented as part of the skill's purpose as an API marketplace, they introduce significant vulnerability surfaces. Misuse by an AI agent (e.g., via prompt injection) or vulnerabilities in the underlying sandbox could lead to arbitrary code execution, sensitive data exfiltration, or unauthorized communication. The `scripts/register.sh` includes input sanitization for JSON payloads, mitigating direct shell injection for those specific inputs, and the `SKILL.md` does not contain hidden malicious prompt injection directives. However, the inherent power and potential for misuse of the exposed services warrant a 'suspicious' classification rather than 'benign'.
能力评估
Purpose & Capability
Name/description (API marketplace) match the declared credential (UCM_API_KEY), the SKILL.md lists many API services and endpoints, and the included register.sh registers an agent with registry.ucm.ai — all expected for this purpose.
Instruction Scope
SKILL.md instructs the agent to make network calls (curl/HTTP) to UCM endpoints and documents service payloads; it does not instruct reading unrelated system files or additional environment variables beyond UCM_API_KEY. Allowed tools (curl, grep) are appropriate for the documented operations.
Install Mechanism
No install spec is present (instruction-only), lowering disk/installation risk. The only included script is a simple registration helper that uses curl/jq/python3; there are no downloads from untrusted URLs or archive extraction.
Credentials
Only a single credential (UCM_API_KEY) is required and is consistent with an API gateway/marketplace. No unrelated secrets or cloud credentials are requested.
Persistence & Privilege
always:false and autonomous invocation are normal. The provided register.sh writes credentials to ~/.config/ucm/credentials.json and prints the API key — expected for a CLI registration helper but worth noting because credentials are stored in plaintext JSON and printed to stdout.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install ucm
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /ucm 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.1
Remove undocumented UCM_REGISTRY_URL env var to resolve security flag.
v1.1.0
Add ~/.config/ucm/credentials.json for persistent agent credentials. register.sh auto-saves and skips re-registration. Fix body→params consistency. Update to 100 services, 217 endpoints.
v1.0.5
Fix security scan: declare credentials, add homepage/source, remove Read from allowed-tools
v1.0.4
Use params instead of body in call examples
v1.0.3
Pin MCP server version, remove persistent key storage, fix inconsistent no-code-execution claim
v1.0.2
Fix: clarify that skill has no embedded scripts; MCP server is optional and auditable
v1.0.1
Remove internal docs from package, keep only SKILL.md
v1.0.0
Initial release: 100 API services for AI agents (87 free)
元数据
Slug ucm
版本 1.1.1
许可证
累计安装 0
当前安装数 0
历史版本数 8
常见问题

Ucm 是什么?

Provides API marketplace access for AI agents. Discovers and calls external capabilities including web search, image generation, code execution, text-to-spee... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 670 次。

如何安装 Ucm?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install ucm」即可一键安装,无需额外配置。

Ucm 是免费的吗?

是的,Ucm 完全免费(开源免费),可自由下载、安装和使用。

Ucm 支持哪些平台?

Ucm 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Ucm?

由 UCM.AI(@ucmai)开发并维护,当前版本 v1.1.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论