← 返回 Skills 市场
Web Service Onboarding
作者
Nissan Dookeran
· GitHub ↗
· v1.0.2
· MIT-0
114
总下载
0
收藏
1
当前安装
3
版本数
在 OpenClaw 中安装
/install web-service-onboarding
功能描述
Autonomous signup for external web services — browser automation, email verification, API key generation and secure storage in 1Password. Use when asked to c...
安全使用建议
This skill automates account creation and handles very sensitive secrets (email inbox access, passkeys, API keys, and 1Password storage). Before installing or invoking it, ask the publisher to: 1) list required binaries and exact environment variables (Playwright/Chrome, Node, 1Password CLI/OP session env, Proton Bridge/IMAP creds); 2) explain how 1Password authentication is performed (which env var or interactive flow) and confirm it will not leak tokens; 3) avoid writing raw credentials to world-readable temp files (don't write passkeys/API keys to /tmp or at minimum encrypt them and clean up securely); 4) provide a minimal, auditable example run or source code so you can review how private data is handled; and 5) run the skill first in an isolated sandbox account/environment. If the publisher cannot provide those clarifications, treat the skill as high risk for accidental credential exposure or misuse.
能力评估
Purpose & Capability
The skill's claimed purpose—automating signups, email verification, passkey handling, API key generation, and storing secrets in 1Password—matches the content of SKILL.md. However, the skill does not declare any required binaries, environment variables, or credentials (e.g., Playwright/Chromium, 1Password CLI/session token, Proton Bridge or IMAP credentials), even though the instructions clearly require them. That omission is an inconsistency: a legitimate onboarding skill should list the external tools and secrets it needs.
Instruction Scope
The SKILL.md instructs the agent to perform sensitive operations: create browser contexts, add a Playwright CDP virtual authenticator, export WebAuthn credentials to a local file (/tmp/webauthn-creds.json), fetch verification links via an IMAP bridge on localhost, and save API keys into 1Password. These operations access, create, and persist secrets. The instructions do not explain how to authenticate to 1Password or how to protect exported passkey files (which are written to /tmp, often world-readable). The skill also assumes access to a Proton Bridge or local IMAP proxy at 127.0.0.1:1143 without documenting credentials or setup. This scope creep and lack of safe-handling guidance is concerning.
Install Mechanism
There is no install spec (instruction-only), so nothing will be written automatically to disk by an installer — this lowers supply-chain risk. However, the runtime instructions depend on external tooling (browser automation like Playwright/CDP, Node runtime, 1Password CLI, Proton Bridge) and will write temporary files. The absence of an install spec means the skill expects those tools to already exist; the missing dependency declarations are a transparency gap.
Credentials
No environment variables or primary credential are declared, yet the workflow requires secrets and auth to external/local services: IMAP/email credentials or Proton Bridge config, 1Password session tokens or CLI auth, and possibly cloud provider credentials for some services. The skill also writes exported passkeys and presumably API keys to disk before moving them to 1Password. Requesting unspecified credentials or accessing local services without declaring them is disproportionate and raises risk of misconfiguration or accidental secret exposure.
Persistence & Privilege
The skill is not marked always:true and is user-invocable, so it does not have elevated forced persistence. Autonomous invocation is allowed (platform default) but that alone is not flagged. The SKILL.md does instruct writing persistent artifacts (files under /tmp, 1Password entries) but it does not attempt to modify other skills or global agent config.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install web-service-onboarding - 安装完成后,直接呼叫该 Skill 的名称或使用
/web-service-onboarding触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
Security: added security_notes to clarify legitimate usage of network/credential/encoding patterns. Prevents false-positive scanner flags.
v1.0.1
Security metadata: added security_notes clarifying this skill manages the agent's own signup session only, not credential theft. Tightened description wording to avoid false-positive scanner triggers.
v1.0.0
Initial publish: autonomous web service signup with browser automation, credential extraction, 1Password storage
元数据
常见问题
Web Service Onboarding 是什么?
Autonomous signup for external web services — browser automation, email verification, API key generation and secure storage in 1Password. Use when asked to c... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 114 次。
如何安装 Web Service Onboarding?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install web-service-onboarding」即可一键安装,无需额外配置。
Web Service Onboarding 是免费的吗?
是的,Web Service Onboarding 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Web Service Onboarding 支持哪些平台?
Web Service Onboarding 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Web Service Onboarding?
由 Nissan Dookeran(@nissan)开发并维护,当前版本 v1.0.2。
推荐 Skills