← 返回 Skills 市场
Whirlwind
作者
Rose Beatty
· GitHub ↗
· v1.0.0
· MIT-0
55
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install whirlwind
功能描述
Production-ready Next.js AI SaaS template with Supabase auth, Stripe payments, email system, multi-model AI client, and customizable components for rapid AI...
安全使用建议
This skill appears to be a legitimate template generator, but exercise caution before providing secrets. Do not paste high-privilege keys (especially SUPABASE_SERVICE_ROLE_KEY, Stripe secret keys, or any private AI provider keys) directly into chat. Prefer the following safer workflow:
- Verify the skill's source (GitHub repo, package publisher) and review the templates locally before running any automated setup. The registry metadata lacks a verified homepage — confirm the repository URL is legitimate.
- When setting up services, create and paste only low-privilege keys into client-side config (e.g., public anon keys or publishable Stripe keys). Never disclose service_role or secret API keys in a conversational interface. Use your hosting platform's secrets manager or environment configuration (Vercel, Supabase project settings, etc.).
- Inspect the generated .env files and ensure server-only secrets are kept out of client builds. SUPABASE_SERVICE_ROLE_KEY must only be used server-side and not committed to version control or exposed to the browser.
- If you want ClawdBot to help with setup, restrict it to providing commands and checklists rather than collecting secrets. If you must provide keys to the skill, do so via a secure channel (not chat) and consider creating limited-scope API keys for this purpose.
- If you plan to run the setup automatically, review the code paths that persist secrets and run migrations locally or in an isolated environment first.
Given the mismatch between the manifest and the instructions and the explicit instruction to collect secrets in chat, treat this skill as suspicious until you confirm its provenance and adjust how secrets are supplied.
功能分析
Type: OpenClaw Skill
Name: whirlwind
Version: 1.0.0
The Whirlwind skill bundle functions as a comprehensive setup assistant for a SaaS template, but it is classified as suspicious due to its aggressive collection of high-privilege credentials. The 'SETUP_WORKFLOW.md' and 'SKILL.md' files instruct the agent to solicit extremely sensitive secrets from the user, including the Supabase Service Role key (which bypasses Row Level Security), Stripe Secret keys, and multiple AI API keys. While the instructions direct the agent to save these to a local '.env.local' file, the process involves handling these secrets within the agent's context, creating a high risk of accidental exposure or misuse. Furthermore, the skill relies on cloning an external repository (github.com/WhirlwindAI/whirlwind), which introduces a supply chain risk as the core logic resides outside the analyzed bundle.
能力标签
能力评估
Purpose & Capability
The declared purpose (Next.js AI SaaS template with Supabase, Stripe, AI providers) matches the templates and examples provided. However, the skill.json and registry metadata list no required environment variables or primary credential, while SKILL.md and README repeatedly instruct the agent to collect and use many secrets (Supabase anon and SERVICE_ROLE key, Stripe secret/webhook secret, Anthropic/OpenAI keys, Mailchimp key, etc.). That mismatch (no declared required env vs. explicit instructions to collect many secrets) is an incoherence that reduces trust.
Instruction Scope
SKILL.md and SETUP_WORKFLOW.md explicitly instruct ClawdBot to prompt the user for API keys and secrets and to 'Create your .env with all your API keys' and to paste values into the conversation (e.g., 'Give me these: NEXT_PUBLIC_SUPABASE_URL=...'). Collecting highly privileged secrets (notably SUPABASE_SERVICE_ROLE_KEY and Stripe secret keys) via chat is unnecessary and dangerous. The rest of the instruction scope (creating components, API routes, SQL migrations, and using the AI client) is within the template's purpose, but the instructions grant the agent broad discretion to request and persist sensitive data in chat and files.
Install Mechanism
This is an instruction-first skill with included templates and no install spec — lowest install risk. There are no downloads, remote install URLs, or archive extraction steps in the metadata. The included templates are consistent with the stated purpose.
Credentials
The set of environment variables requested in the docs (Supabase URL, anon key, SUPABASE_SERVICE_ROLE_KEY, STRIPE_SECRET_KEY, NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY, STRIPE_WEBHOOK_SECRET, ANTHROPIC_API_KEY, OPENAI_API_KEY, Mailchimp keys, etc.) are all relevant to running the template. However, the inclusion of SUPABASE_SERVICE_ROLE_KEY (a high-privilege service key) and the practice of asking the user to paste those keys into the chat are disproportionate and risky. Additionally, the manifest declares no required env variables or primary credential — inconsistent with the large number of secrets the workflow expects.
Persistence & Privilege
The skill does not request 'always: true' and does not claim additional platform privileges. It instructs the agent to write .env files and migrations to the project — normal for a template generator. Nevertheless, because the skill's runtime instructions encourage placing secrets into files and the chat, treat autonomous invocation with caution: if the agent can run this workflow automatically, it could collect and persist secrets without clear guardrails. On its own this is not a privilege escalation, but combined with the secret-collection behavior it raises risk.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install whirlwind - 安装完成后,直接呼叫该 Skill 的名称或使用
/whirlwind触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Whirlwind AI SaaS Template Skill version 2.0.0 is a major update with expanded documentation and clear customization steps.
- Introduces a detailed SKILL.md with infrastructure overview and clear file structure annotations (core, customizable, and generatable files).
- Guides users to create new AI-driven features, API endpoints, and database tables with step-by-step code templates.
- Describes included tech: Supabase auth, Stripe payments, email systems, and support for multiple AI models (Claude, GPT-4, Gemini).
- Standardizes usage of shared AI client utilities and secure database operations.
- Centralizes product-specific configuration and content, streamlining custom AI SaaS product creation.
元数据
常见问题
Whirlwind 是什么?
Production-ready Next.js AI SaaS template with Supabase auth, Stripe payments, email system, multi-model AI client, and customizable components for rapid AI... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 55 次。
如何安装 Whirlwind?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install whirlwind」即可一键安装,无需额外配置。
Whirlwind 是免费的吗?
是的,Whirlwind 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Whirlwind 支持哪些平台?
Whirlwind 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Whirlwind?
由 Rose Beatty(@rosebeatty)开发并维护,当前版本 v1.0.0。
推荐 Skills