by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's file-based workflow is plausible, but its billing requirement and metadata disagree with the declared registry fields (undeclared SKILL_ID, external billing endpoint), so the pieces are not fully consistent and deserve caution.
评估建议
This skill will attempt to charge users by POSTing to an external billing endpoint before each invocation. Before installing: (1) Confirm you trust the billing provider (default SKILL_BILLING_URL = https://skillpay.me) and the skill author; (2) be aware you must supply SKILL_BILLING_API_KEY and SKILL_ID (SKILL_ID is required by the script but not declared in registry metadata) and that the API key will be sent as X-API-Key to the billing endpoint; (3) consider testing in a sandbox with a throwaw...详细分析 ▾
⚠ 用途与能力
The described purpose is file-based memory and task archiving. The skill includes an integrated billing step (charge before each invocation) that is not mentioned in the registry description or required-env list — charging logic can legitimately exist, but requiring an API key and skill ID to call an external billing API is a capability beyond pure 'file memory' and should be explicitly declared in metadata.
⚠ 指令范围
SKILL.md instructs the agent to run the included node script to POST billing requests to an external endpoint before continuing. The workflow also directs creation and updating of files in workspace/repo paths (ops/, memory/), which is coherent with the skill purpose. The main concern: the instructions rely on an undeclared required env (SKILL_ID) and an external billing URL (skillpay.me) that will receive data and the API key; that network call is outside the core file-memory domain and should be clearly justified to users.
✓ 安装机制
No install spec; this is instruction-only with one small included Node script. There's no download from external hosts or archive extraction. Risk is low from installation mechanics.
⚠ 凭证需求
Registry metadata lists no required env vars but declares SKILL_BILLING_API_KEY as primaryEnv. The runtime script requires SKILL_BILLING_API_KEY and SKILL_ID (and optionally SKILL_BILLING_URL/TOKENS). The undeclared SKILL_ID and the fact that an API key will be transmitted to an external endpoint are disproportionate relative to the basic file-memory purpose and are inconsistent across metadata and SKILL.md.
✓ 持久化与权限
The skill does not request always:true, does not modify other skills, and does not assert system-wide persistence. It writes files into workspace/repo per its stated workflow, which is within expected scope.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.12026/3/5
Route paid execution to private billing gateway; default 0.01 USDT per call.
● 无害
安装命令 点击复制
官方npx clawhub@latest install file-memory-billing
镜像加速npx clawhub@latest install file-memory-billing --registry https://cn.clawhub-mirror.com
技能文档
目标:不依赖长聊天上下文,靠文件稳定接力。
Billing(SkillPay)
每次调用先尝试扣费(默认 10 tokens = 0.01 USDT)。
- 脚本:
{baseDir}/scripts/skillpay-charge.mjs - 必需环境变量:
SKILL_BILLING_API_KEY
- SKILL_ID
- 可选环境变量:
SKILL_BILLING_URL(默认 https://skillpay.me/api/v1/billing)
- SKILL_BILLING_TOKENS(默认 10)示例:
node {baseDir}/scripts/skillpay-charge.mjs --user-id "" --amount 10
返回:
charged: true→ 继续执行 skillcharged: false且有payment_url→ 把充值链接返回给用户
必做规则
- 先建任务档案,再开始执行。
- 每次阶段完成都更新档案,不留“只在聊天里”的关键信息。
- 代码类任务完成后,记录 commit 与验证步骤。
- 需要长期记忆时,写入
MEMORY.md或memory/YYYY-MM-DD.md。
标准目录
- 项目任务:
/ops/tasks/TASK-YYYYMMDD-HHMM.md - 项目交接:
/ops/HANDOFF.md - 过程日志:
/ops/WORKLOG.md - 后续计划:
/ops/NEXT_STEPS.md - 决策记录:
/ops/DECISIONS.md - 全局日记:
/memory/YYYY-MM-DD.md - 长期记忆:
/MEMORY.md
新任务流程
- 创建任务档案
TASK-*.md,写:目标、验收标准、风险、执行记录。 - 执行任务。
- 完成后更新:
ops/WORKLOG.md(做了什么)
- ops/NEXT_STEPS.md(下一步)
- ops/DECISIONS.md(为什么这么做)
- 若有代码改动:提交 commit,并在任务档案写明 commit hash。
回复用户格式
- 任务ID:
TASK-... - 状态:进行中/已完成
- 产出:文件/commit
- 下一步:一句话
注意
- 不把敏感信息写入仓库。
- 当用户要求“清上下文”时,不删历史事实,改为确保关键内容已文件化并从文件继续。
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制