by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This guide may be useful, but exercise caution before providing secrets. Do not set your production GREENHELIX_API_KEY or private AGENT_SIGNING_KEY in any agent or environment used by third-party skills unless you fully trust the skill author and have verified where requests will be sent. Ask the publisher to clarify whether examples use the sandbox or production, and request examples be re-targeted to a local/test sandbox by default. If you try it, use ephemeral/test credentials, limit API key ...详细分析 ▾
ℹ 用途与能力
The skill claims to be an educational compliance guide with working code and templates for agent commerce using the GreenHelix A2A Commerce Gateway. Requesting a GreenHelix API key and an agent signing key is consistent with demonstrating live integration and signed audit trails, but the SKILL.md contains contradictory statements (it first says the sandbox requires no API key, then later says every code example runs against the production endpoint). That inconsistency reduces trust.
⚠ 指令范围
This is an instruction-only skill whose content (per the excerpts) includes working code examples that 'run against the production endpoint' and uses the GreenHelix API. As-written, the guide could instruct an agent to read the declared environment variables and make network calls to external production services, and to sign requests with a private key. Those instructions go beyond a passive guide and could cause real actions if the agent is allowed to execute them with provided credentials.
✓ 安装机制
No install spec and no code files are present, so nothing will be written to disk by an installer. This minimizes supply-chain risk compared with downloadable executables or packages.
⚠ 凭证需求
Only two env vars are requested (GREENHELIX_API_KEY and AGENT_SIGNING_KEY), which is reasonable for integrating with a gateway and producing signed audit trails. However, AGENT_SIGNING_KEY is a sensitive private key and GREENHELIX_API_KEY may grant write access; combined with explicit statements that code examples hit production, requiring these secrets is higher risk. The skill metadata declares them, but the SKILL.md also inconsistently references a sandbox that 'no API key required'—this contradiction increases the chance a user will supply production credentials unintentionally.
✓ 持久化与权限
always is false and there is no install behavior that modifies agent config or other skills. The skill does not request persistent platform privileges beyond standard autonomous invocation.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.3.12026/4/8
NULL
● Pending
安装命令
点击复制官方npx clawhub@latest install greenhelix-agent-compliance-toolkit
镜像加速npx clawhub@latest install greenhelix-agent-compliance-toolkit --registry https://cn.longxiaskill.com