by 安全扫描
OpenClaw
可疑
high confidenceThe skill's instructions require a Digiforma API key (DIGIFORMA_API_KEY) but the registry metadata does not declare any required credential; this mismatch and the unknown source warrant caution.
评估建议
This skill appears to do what it claims (send GraphQL queries to Digiforma) but its metadata fails to declare the API key that the instructions require. Before installing: 1) Verify the skill publisher/source — no homepage or known owner is provided. 2) Do not provide your DIGIFORMA_API_KEY unless you trust the source; request that the skill metadata be corrected to list DIGIFORMA_API_KEY as a required credential. 3) If you must use it, create a least-privilege API token on Digiforma (scoped and...详细分析 ▾
⚠ 用途与能力
The skill's name and description match the instructions (query Digiforma GraphQL API). However, the SKILL.md explicitly requires a Bearer token via the environment variable DIGIFORMA_API_KEY while the registry metadata lists no required environment variables or primary credential — an incoherence between declared capabilities and what the skill actually needs.
⚠ 指令范围
The instructions stay within the stated purpose (building and POSTing GraphQL queries to https://app.digiforma.com/api/v1/graphql). They do not request system files or unrelated environment variables. The problem: the runtime instructions reference an environment variable (DIGIFORMA_API_KEY) that is not declared in the skill metadata, which could lead to accidental secret exposure if users are not warned.
✓ 安装机制
Instruction-only skill with no install steps or code to write to disk. This is lower risk because nothing is downloaded or installed by the skill package itself.
⚠ 凭证需求
SKILL.md requires DIGIFORMA_API_KEY (a secret) but the skill's declared requirements list no environment variables or primary credential. The skill is therefore not transparently declaring the secret access it needs; this lack of declaration is disproportionate and a potential governance/privacy risk.
✓ 持久化与权限
The skill does not request always:true or other elevated persistence. It is user-invocable and allows normal autonomous invocation (disable-model-invocation is false), which is the platform default and not itself a red flag here.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/23
Initial release of Digiforma skill. - Enables querying Digiforma's training management platform using the GraphQL API. - Supports retrieval of trainees, sessions, invoices, programs, and trainers. - Authentication via Bearer token using the DIGIFORMA_API_KEY environment variable. - Includes example GraphQL queries for common use cases. - Details pagination and important usage notes for efficient data access.
● 可疑
安装命令 点击复制
官方npx clawhub@latest install digiforma
镜像加速npx clawhub@latest install digiforma --registry https://cn.clawhub-mirror.com
技能文档
Digiforma is a French training management platform (centre de formation). Query it via GraphQL.
Authentication
All requests use Bearer token auth. The API key is stored in environment variable DIGIFORMA_API_KEY.
Endpoint
POST https://app.digiforma.com/api/v1/graphql
如何 到 查询
Use curl:
curl -s -X POST https://app.digiforma.com/api/v1/graphql \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $DIGIFORMA_API_KEY" \
-d '{"query": "YOUR_GRAPHQL_QUERY"}'
Common queries
列表 trainees (stagiaires)
{ trainees(perPage: 20, page: 1) { items { id firstName lastName email phone } pagination { totalItems totalPages } } }
搜索 trainee 由 name
{ trainees(perPage: 10, page: 1, search: "NOM") { items { id firstName lastName email phone } } }
列表 training sessions
{ trainingSessions(perPage: 20, page: 1) { items { id name status startDate endDate program { name } } pagination { totalItems totalPages } } }
列表 programs
{ programs(perPage: 20, page: 1) { items { id name duration } pagination { totalItems totalPages } } }
列表 invoices
{ invoices(perPage: 20, page: 1) { items { id number amount status dueDate company { name } } pagination { totalItems totalPages } } }
列表 trainers (formateurs)
{ trainers(perPage: 20, page: 1) { items { id firstName lastName email } pagination { totalItems totalPages } } }
Training 会话 details
{ trainingSession(id: ID) { id name status startDate endDate program { name } trainees { firstName lastName email } trainer { firstName lastName } } }
分页
Always use perPage and page. Check pagination.totalPages to know if more pages exist.Important notes
- 所有 dates ISO 格式
- Status values: draft, planned, ongoing, 已完成, 已取消
- Always paginate large results (perPage max ~50)
- 对于 complex filters, combine 搜索 带有 status filters
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制