← 返回 Skills 市场
573
总下载
4
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install volcengine-agent-identity
功能描述
UserPool login, TIP token, credential hosting, and tool risk approval. Activate when user needs to check identity (whoami/status), log in, list/add credentia...
安全使用建议
This skill is coherent for identity and credential management and does not request unrelated secrets or installs. Before enabling it, consider: 1) Only enable the plugin if you need agent-hosted credentials or OIDC/TIP flows. 2) Review where credentials will be stored and who can access them; ensure storage is encrypted and access-audited. 3) Pay attention to bindings: binding a provider to an env var lets other tools receive those secrets — restrict which tools/agents can use injected env vars. 4) Keep authz.requireRiskApproval enabled (and avoid allowing the agent to self-approve) so high-risk commands require explicit user approval. 5) Monitor approval logs and periodically review providers and bindings. If you are uncomfortable with an agent having the ability to inject credentials into tool invocations, do not enable this plugin.
功能分析
Type: OpenClaw Skill
Name: volcengine-agent-identity
Version: 0.2.1
The skill is classified as suspicious due to a high-risk vulnerability in the `identity_fetch` tool. Specifically, the `returnValue: true` parameter allows the AI agent to retrieve the raw credential string directly. If an attacker can craft a prompt to trick the agent into calling `identity_fetch` with this parameter for an existing credential, the agent would gain access to the sensitive credential, enabling potential exfiltration. While the skill includes security features like risk checking and explicit instructions against agent self-approval, this specific capability presents a significant attack surface for credential theft via prompt injection.
能力评估
Purpose & Capability
Name, description, and runtime instructions align: the skill is for OIDC login, TIP tokens, credential hosting, and risk approval. It does not request unrelated environment variables or binaries. The declared required config path (plugins.entries.agent-identity.enabled) is appropriate for a plugin of this type.
Instruction Scope
SKILL.md instructs the agent to call identity tools for login, status, fetch, list, and binding operations — this is within scope. It explicitly warns the agent not to self-approve user-initiated slash commands. One notable capability: the skill supports binding credential providers to environment variables for other tools (tool injection). That is a legitimate feature for a credential-hosting plugin, but it is powerful because it enables other tools/commands to receive secrets. The instructions do not ask the agent to read arbitrary host files or unrelated env vars, nor to transmit secrets to unexpected external endpoints.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest risk from installation perspective. Nothing is written to disk by this skill's manifest.
Credentials
The skill declares no required environment variables or primary credential, which is proportional. However, its functionality includes storing credentials and binding them to environment variables for tool use; while appropriate for identity management, that capability effectively grants the plugin the ability to surface secrets to other tools, so operational controls (who can approve bindings, auditing) matter.
Persistence & Privilege
always is false and model invocation is not disabled (normal). The skill requires enabling in plugin config; it does not demand permanent always-on inclusion or modify other skills' configs. No other elevated persistence or cross-skill access is requested.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install volcengine-agent-identity - 安装完成后,直接呼叫该 Skill 的名称或使用
/volcengine-agent-identity触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.2.1
Introduce a new tool that generates agent-identity config snippets (src/tools/identity-config-suggest.ts) and register it in index.ts. Update SKILL.md to document the identity_config_suggest action and usage, and update openclaw.plugin.json and package.json to reflect expanded description and bump version to 0.2.1. The tool returns JSON instructions and identity defaults to help users merge config into openclaw.json (does not modify files automatically).
v0.1.9
UserPool login, TIP token, credential hosting
元数据
常见问题
Volcengine Agent Identity 是什么?
UserPool login, TIP token, credential hosting, and tool risk approval. Activate when user needs to check identity (whoami/status), log in, list/add credentia... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 573 次。
如何安装 Volcengine Agent Identity?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install volcengine-agent-identity」即可一键安装,无需额外配置。
Volcengine Agent Identity 是免费的吗?
是的,Volcengine Agent Identity 完全免费(开源免费),可自由下载、安装和使用。
Volcengine Agent Identity 支持哪些平台?
Volcengine Agent Identity 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Volcengine Agent Identity?
由 M1a0(@loveyana)开发并维护,当前版本 v0.2.1。
推荐 Skills