by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's stated zero-credential, zero-install model doesn't match its behavior (it claims to scan groups/channels and manage bot tokens), so it requires clarification before installation.
评估建议
This skill asks the agent to scan all groups/channels and build a relations table but declares no required credentials; don't install yet. Before proceeding, ask the author: (1) exactly which platform APIs/connectors will be used and what credentials are required (e.g., TELEGRAM_BOT_TOKEN) and why they aren't declared, (2) where scanned data and the relations table are stored and who can read them, (3) whether any data is sent to external endpoints (the config.example's 'fallback_method' includi...详细分析 ▾
⚠ 用途与能力
The skill promises automatic scanning of existing groups/channels and building a 'social relationship' table between owners and bots. That functionality reasonably requires access to chat platform data and bot tokens (e.g., Telegram bot_token shown in config.example.json), but the skill declares no required credentials, binaries, or config paths — this mismatch suggests the declared requirements are incomplete or misleading.
⚠ 指令范围
SKILL.md explicitly instructs the agent to 'scan existing groups/channels' and build/maintain a relations table and perform automated binding. Those instructions imply reading chat membership, bot roles, and possibly user identifiers. The instructions do not disclose where scanned data is stored, what connectors/APIs are used, or whether any data is transmitted externally (the fallback_method value 'github_discussion' in config.example.json is notable). This scope (scanning all groups/channels) is broad and privacy-sensitive.
ℹ 安装机制
There is no install spec and no code files to execute, which reduces immediate disk-write/remote-download risk. However, because the skill is instruction-only, the actual behavior depends entirely on the agent's existing connectors and permissions — the absence of install artifacts lowers one class of risk but doesn't eliminate runtime access concerns.
⚠ 凭证需求
The skill declares no required environment variables, but config.example.json includes sensitive fields (bot_token, default_channel_id) and the README describes scanning and building relation tables. Requiring such secrets without declaring them is disproportionate and opaque. It's unclear which credentials the agent will need or how they should be provided/stored.
⚠ 持久化与权限
always is false (good), but the skill's runtime behavior (automatic scanning across groups/channels and maintaining relations) implies broad access to agent-connected chat data. There is no description of data retention, storage location, or access controls for the generated relation table, meaning persistent sensitive state could be created without clear governance.
安装前注意事项
- exactly which platform APIs/connectors will be used and what credentials are required (e.g., TELEGRAM_BOT_TOKEN) and why they aren't declared, (
- where scanned data and the relations table are stored and who can read them, (
- whether any data is sent to external endpoints (the config.example's 'fallback_method' including 'github_discussion' is suspicious), and (
- whether you can limit the skill's scope (test in an isolated account or restrict to a single group). If you can't verify the source or get clear answers, avoid installing or run it only with a throwaway bot/account with minimal permissions.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.32026/3/12
Version 1.0.3 – Adds group/channel scan & condition checks - Added automated scanning of existing groups/channels to build social relationship tables. - Introduced hard condition checks (group membership, admin status, channel presence) before cross-bot communication. - Improved flow documentation and architecture overview in SKILL.md. - Updated SKILL.md to reflect new process, features, and honest handling when conditions aren't met.
● 无害
安装命令 点击复制
官方npx clawhub@latest install cross-bot-communication
镜像加速npx clawhub@latest install cross-bot-communication --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制