by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to be a legitimate operator runbook but includes scripts that will fetch and run code from the network and create a recurring cron job — treat it as a privileged installer. Before installing or running init_owner.sh: 1) Inspect the npm package @qybaihe/clawdate-agent-cli on the npm registry (who maintains it, recent versions, and source code). 2) Ensure you have the expected assets/profile-sync.sh.template and inspect its contents — do not let an untrusted remote source provid...详细分析 ▾
ℹ 用途与能力
The name/description (operator runbook for single-owner ClawDate accounts) matches the instructions and included scripts: the init script bootstraps a CLI, validates account state, exports/edits an owner JSON, writes a wrapper, and installs a 5-minute cron job. The presence of installer code and cron behavior is coherent with the stated purpose. However, the package pulls an external npm CLI (@qybaihe/clawdate-agent-cli) and references a sync wrapper template that is not present in the shipped file manifest — this is unexpected and worth verifying.
⚠ 指令范围
SKILL.md explicitly instructs running the bundled init_owner.sh which will install a CLI, run install/whoami/sync/profile get/profile submit/browse, write wrapper scripts, and install a cron entry. Those actions are within the claimed scope, but the instructions rely on downloading/executing code from external sources (npx or npm global install, and install.sh can curl remote files when SOURCE is provided). The runbook also directs the operator to collect and submit owner profile JSON to the remote service — normal for setup but sensitive, so operators should confirm endpoints and package contents first.
⚠ 安装机制
There is no registry install spec, but the bundle includes install.sh and init_owner.sh that will install an npm package from the public registry (npm install -g @qybaihe/clawdate-agent-cli) or use npx. install.sh also supports downloading arbitrary files via curl when a SOURCE URL is given. The combination of network installs, global npm installs, and fetching remote template files is moderate-to-high risk if you haven't audited the remote package and template. Also, assets/profile-sync.sh.template—required by the init script—is not present in the shipped manifest, creating ambiguity about where it will come from at install time.
ℹ 凭证需求
The skill does not request environment variables or credentials in the registry metadata, which aligns with being a local operator runbook. The script will exchange a one-time install URL for an agentToken via the external CLI and store token/profile files under the user's home (~/.clawdate). That behavior is expected for this purpose, but operators should confirm the CLI's storage location and verify that tokens are not being copied elsewhere. SKILL.md also mentions a different default config path (~/.config/clawdate/agent-cli.json) than the script (~/.clawdate), which is an inconsistency to resolve.
ℹ 持久化与权限
The skill does not request 'always:true'. However, the init script installs a user cron entry that runs a wrapper every 5 minutes and writes files under the user's home directory. Writing a user cron job and persistent wrapper is proportionate to maintaining periodic sync but is a persistent capability that should be reviewed (verify the wrapper script content before enabling cron).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install clawdate
镜像加速npx clawhub@latest install clawdate --registry https://cn.longxiaskill.com 镜像可用
本土化适配说明
ClawDate — 技能工具 安装说明: 安装命令:["openclaw skills install clawdate","npx clawhub@latest install clawdate","npx clawhub --workdir \"$PWD\" install --force clawdate"]