首页龙虾技能列表 › openclaw-fallback-skill — 技能工具

openclaw-fallback-skill — 技能工具

v1.0.0

Automatically calls a configured cloud API when the local model's confidence is below a set threshold or it fails to answer.

0· 65·0 当前·0 累计
by @dream458268696·MIT-0
下载技能包
License
MIT-0
最后更新
2026/3/26
安全扫描
VirusTotal
可疑
查看报告
OpenClaw
可疑
high confidence
The skill mostly implements a normal fallback-to-cloud behavior, but it contains clear inconsistencies (it always triggers the cloud call), includes a hard-coded API key in the repository, and will send conversation/context data to an external API—so review and fix before trusting it with real data or live keys.
评估建议
Don't install this into a production agent without remediation. Key actions to consider before use: - Treat the included config.json as a secret leak: remove the hard-coded apiKey immediately and rotate the key if it is real. - Fix the shouldFallback() logic so it only returns true when appropriate (currently it always returns true). - Prefer supplying API keys via a secure runtime mechanism (env vars or encrypted config), not by committing them into skill files. - Review and limit what context ...
详细分析 ▾
用途与能力
The skill's stated purpose is to call a cloud model only when the local model is uncertain. However, the shouldFallback() implementation always returns true (unconditional fallback), meaning it will call the cloud model on every request. That behavior is inconsistent with the description and likely disproportionate to the intended purpose.
指令范围
Runtime instructions and code send system prompt, recent conversation history, and any context.metadata.userInfo to the configured external API. That can leak user data/PII to the remote model; the skill also tests the API on init (sends a 'ping') which will transmit the API key and request details immediately.
安装机制
This is an instruction-plus-code skill with no platform install spec; readme asks to run 'npm install axios'. No remote downloads or extract steps are present, which limits supply-chain risk, but you must run npm to install axios (a normal dependency).
凭证需求
The skill does not require environment variables but ships a config.json containing an API key (sk-6cbc...) and apiUrl. Including a long-lived secret in the repository/config file is disproportionate and risky. The skill will use that key to authenticate requests; ideally keys should be provided at runtime via secure config or environment and not committed to the package.
持久化与权限
The skill does not request always:true and does not modify other skills; autonomous invocation is allowed (platform default). Combined with the unconditional fallback behavior, autonomous invocation increases the chance of unintended data exfiltration to the external API.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/3/26

openclaw-fallback-skill

● 可疑

安装命令 点击复制

官方npx clawhub@latest install openclaw-fallback-skill
镜像加速npx clawhub@latest install openclaw-fallback-skill --registry https://cn.clawhub-mirror.com

技能文档

{ "name": "openclaw-fallback-skill", "version": "1.0.0", "description": "当本地模型无法回答时,自动调用配置的云端大模型 API", "author": "Your Name", "permissions": ["http", "config"], "events": ["beforeResponse", "modelFailure"], "configSchema": { "type": "object", "properties": { "apiUrl": { "type": "string", "format": "uri", "description": "云端大模型的 API 地址" }, "apiKey": { "type": "string", "description": "API 密钥" }, "modelName": { "type": "string", "description": "模型名称(如 gpt-4, claude-3 等)", "default": "gpt-3.5-turbo" }, "fallbackThreshold": { "type": "number", "description": "置信度阈值,低于此值触发 fallback", "default": 0.6, "minimum": 0, "maximum": 1 }, "maxRetries": { "type": "number", "default": 2 }, "timeout": { "type": "number", "description": "API 超时时间(秒)", "default": 30 }, "enableStreaming": { "type": "boolean", "default": false } }, "required": ["apiUrl", "apiKey"] } }

数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制

了解定制服务