by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
Before installing or supplying credentials: 1) Ask the publisher to explain exactly why AGENT_SIGNING_KEY (a private signing key) is required for a buyer-side guide — you should never provide another agent's private key; if the guide needs to sign requests use your own ephemeral signing key and understand what is signed. 2) Prefer and ask for a read-only GREENHELIX_API_KEY (verification should not require write access). 3) Confirm the sandbox claim (if the sandbox truly requires no key, the meta...详细分析 ▾
ℹ 用途与能力
The skill is an instruction-only buyer's guide that consistently references the GreenHelix A2A Gateway API, so requiring a GREENHELIX_API_KEY is coherent. However the metadata requires an AGENT_SIGNING_KEY (a private signing key) without clear justification for why a buyer/ verifier must possess or supply a private agent identity key. Also the top notice says the GreenHelix sandbox requires no API key, which conflicts with the declared required env var.
ℹ 指令范围
SKILL.md appears to be a static guide with embedded Python examples and claims it does not execute code. From the visible content the instructions stay within the stated purpose (identity verification, auditing claims, checking signatures). The file explicitly references GREENHELIX_API_KEY and AGENT_SIGNING_KEY—these env vars are declared, but it's ambiguous whether examples require sending private keys or instruct the agent to access other local files/credentials (the full document should be checked for any steps that read unrelated system files or secret stores).
✓ 安装机制
No install spec and no code files — instruction-only — so nothing will be written to disk or downloaded by the skill itself. This is the lowest-risk install model.
⚠ 凭证需求
Requiring GREENHELIX_API_KEY is expected for API calls, but the guide's own text says the sandbox needs no API key (contradiction). More importantly, AGENT_SIGNING_KEY is listed as required; that name implies a private signing key. A buyer-side verification guide typically needs the ability to verify signatures (public keys) or sign its own requests with its own client key, but it should not require third-party private keys. The skill also identifies GREENHELIX_API_KEY as having read/write scope (per embedded description), yet a read-only key would often suffice for verification tasks. Requesting writable keys or private signing keys without clear need is disproportionate and risky.
✓ 持久化与权限
always is false and there is no install, so the skill does not request elevated persistent presence or automatic global inclusion. It does not appear to modify other skill configs.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.3.12026/4/11
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install greenhelix-agent-trust-verification
镜像加速npx clawhub@latest install greenhelix-agent-trust-verification --registry https://cn.longxiaskill.com