← 返回 Skills 市场
81
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install who-is-undercover-publish
功能描述
谁是卧底 - 经典社交推理游戏的AI版本,支持4-10人游戏,包含智能AI对手和完整游戏机制。
安全使用建议
Do not install or run this skill in a production environment until you verify and fix the inconsistencies. Specific steps to consider: 1) Review the upstream repository (homepage) and confirm the author and commit history; 2) Inspect and remove or rotate any hard-coded API keys — treat the embedded key as compromised; 3) Decide whether you want user descriptions/votes to be sent to an external service; if not, remove or disable instreet_adapter and controller code paths; 4) Ensure package.json lists runtime dependencies (axios) or run npm install in an isolated sandbox first; 5) If you must test, run the skill in an isolated VM/container with no network access to observe local-only behavior; 6) If you want networked features, require explicit environment variables for API keys (do not hard-code) and update SKILL.md/INSTALL.md to disclose external endpoints and data transmitted. If you are not comfortable auditing the code, avoid installing the skill.
功能分析
Type: OpenClaw Skill
Name: who-is-undercover-publish
Version: 1.0.0
The skill bundle contains a hardcoded API key (sk_inst_22609319753836272e6a044f4e9a44f3) in instreet_game_controller.js and performs external network requests to instreet.coze.site via instreet_adapter.js. While these features are documented as part of the 'InStreet' game integration, the presence of hardcoded credentials and external API communication constitutes a significant security risk and a vulnerability that warrants caution.
能力评估
Purpose & Capability
The declared purpose is a local party game; that matches most game logic files. However the package and docs also advertise Feishu/InStreet integration while SKILL.md frontmatter lists only 'node' and no credentials. The code includes an InStreet adapter and controller that perform network operations to an external host, which is not reflected in requires.env or the SKILL.md 'no external network' claim — this is incoherent.
Instruction Scope
SKILL.md and INSTALL.md describe local gameplay and state storage, but code (instreet_adapter.js, instreet_game_controller.js) will transmit game actions and user descriptions to a remote API. The realtime/status and controller scripts also read/write local JSON files. Instructions do not disclose that player descriptions or votes may be sent to an external endpoint.
Install Mechanism
There is no install spec (instruction-only), which minimizes installer risk. But package.json lists no runtime dependencies while source requires 'axios' (and other modules) — running the skill as-is would either fail or implicitly require npm install, introducing additional surface for supply-chain risk. No external downloads are defined in the manifest itself.
Credentials
requires.env lists no credentials, yet instreet_game_controller.js hardcodes an API key ('sk_inst_22609319753836272e6a044f4e9a44f3') and instreet_adapter expects an API key to call remote APIs. The skill thus uses credentials (embedded secret) without declaring them; in addition, user-provided descriptions and votes may be transmitted to the external service without explicit disclosure.
Persistence & Privilege
The skill does not request 'always: true' and is user-invocable. It writes files (current_instreet_room.json, current_game.json, game_status.txt) into its directory which is expected for session state. However autonomous invocation combined with undeclared external network access increases risk if the skill acts without clear user consent.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install who-is-undercover-publish - 安装完成后,直接呼叫该 Skill 的名称或使用
/who-is-undercover-publish触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of Who is Undercover skill for OpenClaw:
- Play the classic party game "Who is Undercover" (谁是卧底) with 4–10 participants and AI opponents.
- Features realistic AI agents, smart voting, complete game mechanics, and turn-based gameplay.
- Includes one-click installation and Feishu integration for group play.
- Supports commands to start/join games, describe words, vote, and check game status.
元数据
常见问题
Who Is Undercover Publish 是什么?
谁是卧底 - 经典社交推理游戏的AI版本,支持4-10人游戏,包含智能AI对手和完整游戏机制。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 81 次。
如何安装 Who Is Undercover Publish?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install who-is-undercover-publish」即可一键安装,无需额外配置。
Who Is Undercover Publish 是免费的吗?
是的,Who Is Undercover Publish 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Who Is Undercover Publish 支持哪些平台?
Who Is Undercover Publish 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Who Is Undercover Publish?
由 qq5776569(@qq5776569)开发并维护,当前版本 v1.0.0。
推荐 Skills