📦 Gusnais Skill — 社区API集成
v1.0.0为 Ruby-China/Homeland 提供 CLI 友好的 API 集成,保持 Web 端一致权限与行为,让用户在命令行中也能完整管理社区内容。
0· 162·0 当前·0 累计
by 下载技能包
最后更新
2026/4/21
安全扫描
OpenClaw
可疑
high confidenceNULL
评估建议
This skill mostly does what it claims: an OAuth client and plugin API caller for gusnais.com. However: (1) the registry metadata incorrectly lists no required env vars while the code and SKILL.md require CLIENT_ID and CLIENT_SECRET — treat that as a packaging/integrity red flag and confirm the source before giving secrets; (2) the bootstrap and client scripts will persist client_secret, access_token, and refresh_token into a JSON file if you set TOKEN_STORE_PATH — store that file only in a safe ...详细分析 ▾
ℹ 用途与能力
Name, description, SKILL.md, and included scripts consistently implement a Gusnais/Homeland-compatible API client using OAuth (CLIENT_ID/CLIENT_SECRET). That capability is coherent with the stated purpose. However the registry metadata declares no required environment variables even though the SKILL.md and scripts clearly require CLIENT_ID and CLIENT_SECRET (and optionally TOKEN_STORE_PATH). This mismatch is an integrity/packaging concern.
ℹ 指令范围
SKILL.md confines runtime actions to OAuth flow, token validation (/api/v3/users/me), reading the two reference docs, and using the two included scripts. The scripts only perform HTTP calls to the gusnais.com site and read/write a local token store JSON. They do not attempt broader system access or unexpected network endpoints. The instructions recommend persisting tokens to disk which expands scope (local file I/O) and should be considered.
✓ 安装机制
No install script or external downloads are declared (instruction-only install). The code files are bundled with the skill; there is no remote fetch or archive extraction. This is lower-risk than arbitrary remote installs.
⚠ 凭证需求
The skill requires CLIENT_ID and CLIENT_SECRET (and may use OAUTH_CODE, REDIRECT_URI, TOKEN_STORE_PATH) to function, which is proportionate to an OAuth client. But the registry metadata lists no required env vars (incoherent). The scripts persist client_secret and refresh tokens into a JSON file (TOKEN_STORE_PATH) on disk, which increases sensitive data exposure and must be intentionally approved by the user.
ℹ 持久化与权限
The skill does not request always:true and does not modify other skills. It writes/updates a token-store JSON file and sets file permissions to 0600 — normal for a client but it does create persistent credentials on disk which raises confidentiality considerations for the user.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/20
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install gusnais-skill
镜像加速npx clawhub@latest install gusnais-skill --registry https://cn.longxiaskill.com