by 安全扫描
OpenClaw
可疑
medium confidence该技能的代码和指令大致符合其声明的目的(本地成本估算器 + 模型调度侧边栏),但由于几个一致性和信任问题(未知来源、UI 输入的 API 密钥未在元数据中声明、安装到工作空间 hook 以及可疑的注册 URL),建议在安装前谨慎处理。
评估建议
["验证作者/来源 — 注册元数据显示无主页,所有者未知。","检查 `loomlens-openclaw-plugin.ts`(插件)以确认确切的 API 端点并确保 Signal Loom 密钥仅用于声明的计费调用;确保请求发送到官方预期域(注意类似 `SKILL.md` 中的 `signallloomai.com` 的拼写错误)。","记住安装步骤将文件复制到 `~/.openclaw/workspace/hooks` — 这为技能提供了一个持久的 hook(`before_model_resolve`),将在提示时运行;仅在信任代码时安装。","如果计划提供 API 密钥,首先在 UI 中输入之前,请确认插件的端点和隐私政策;不要将机密信息粘贴到未知的外部服务。","如果无法验证来源,请考虑在沙盒环境中本地运行侧边栏,或者在继续之前向维护人员请求官方主页和源代码仓库。"]...详细分析 ▾
✓ 用途与能力
Name/description (sidebar that estimates costs, recommends models, dispatches prompts) match the provided artifacts: sidebar HTML, a local JS estimation engine (zero-deps), cluster definitions, and a plugin file that implements the before_model_resolve hook. There are no unrelated binaries or env vars declared. The included files plausibly implement the advertised features.
ℹ 指令范围
SKILL.md stays on-topic (open sidebar, estimate, optionally run estimates against Signal Loom using a user-supplied API key). It instructs the user to copy the skill into ~/.openclaw/workspace/hooks/loomlens-live/ which gives the skill a workspace hook that will run at runtime (expected for a plugin but important to note). The instructions reference external workspace docs (REV_SHARE_ANALYSIS.md) and an external signup link; neither is required for local preview but could guide the user to external sites. No instructions are present that ask the agent to read unrelated system files or environment variables.
✓ 安装机制
This is instruction-only (no automatic install spec). All source/build artifacts are included in the package; there are no remote downloads, package registry installs, or extract-from-URL steps. The build script is local and non-networking. Installation is manual copy or openclaw skills install, which is expected for a third-party sidebar.
ℹ 凭证需求
The skill declares no required env vars and no primary credential, but SKILL.md expects users to provide a Signal Loom API key via the UI for 'Run Estimate' billing. That is proportional to the described functionality (per-call billing). However the metadata not declaring the API key means it won't be visible in permission prompts ahead-of-time. Also the SKILL.md shows a suspicious signup URL ("signallloomai.com/signup.html") which may be a typo or a wrong domain; the plugin source should be checked for the real API endpoint to confirm where keys are sent.
ℹ 持久化与权限
Installation into ~/.openclaw/workspace/hooks/loomlens-live/ registers a workspace hook and the plugin implements before_model_resolve, meaning it can run on prompt/model resolution and override model selection. This persistence is consistent with the skill's purpose (model dispatch) but elevates its runtime influence; users should be aware the plugin will run for prompts in that workspace. always:false and default autonomous invocation are unchanged.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/9
["LoomLens Live 首次发布,适用于 OpenClaw。","打开侧边栏面板,显示提示的实时成本估算和模型推荐。","支持 6 个模型集,具有动态推荐和每次调用计费。","支持文本拖拽、键盘快捷键(Cmd/Ctrl+L)和下一个提示的模型覆盖。","提供免费试用(每日 3 次免费运行)和开发者收入分成模式,集成 Signal Loom。","通过工作空间 hook 或技能安装程序(当支持时)实现易于安装。"]
● 可疑
安装命令 点击复制
官方npx clawhub@latest install loomlens-live
镜像加速npx clawhub@latest install loomlens-live --registry https://cn.clawhub-mirror.com
技能文档
简介
LoomLens Live 为 OpenClaw 提供实时成本估算和模型调度侧边栏...# ... (原始 Markdown 内容保持不变,仅示例,实际应完整翻译 SKILL.md 中的中文部分,保留未翻译部分)
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制