📦 Helmet — 图书馆搜索

Name: Helmet — 图书馆搜索
Rating: 1

v0.3.1

一键检索赫尔辛基都市区公共图书馆（Helmet.finna.fi）的馆藏，支持图书、期刊、音视频等多类型资源，并可查看借阅状态、预约与续借。

1· 118·1 当前·1 累计

by @vijaykodam

搜索 API工具生产力工具

下载技能包

最后更新

2026/4/17

安全扫描

VirusTotal

无害

查看报告

OpenClaw

安全

high confidence

NULL

评估建议

This skill appears to be what it says: a CLI client for Helmet (Helsinki libraries). Before installing, verify you trust the npm package publisher (@helmet-ai) — npm packages execute code at install time. The CLI will store library card numbers and PINs in ~/.config/helmet/config.json and session cookies under ~/.config/helmet/sessions (permissions claimed as 0600). If you keep multiple family profiles, the agent can query all of them (and perform non-destructive fan-out) so consider limiting st...

详细分析 ▾

✓ 用途与能力

Name/description match the requirements and behavior: the skill invokes a 'helmet' CLI, offers account/hold/renew/fines/search actions, and declares the same CLI in its install spec. The declared config path (~/.config/helmet/config.json) and session cache are appropriate for a local library-account client.

✓ 指令范围

SKILL.md instructs only to run the 'helmet' CLI with --json, perform login once per card, and use profile flags. It does not direct the agent to read unrelated system files or transmit data to unexpected endpoints. It does document reading/writing local config and session cookies (expected for this use).

ℹ 安装机制

Installation is via an npm package (@helmet-ai/helmet) which is a common, expected mechanism for providing the 'helmet' binary. Installing npm packages runs publisher code on the machine during install — normal but a moderate risk compared with no-install skills. No suspicious download URLs or extract-from-unknown-host steps are present.

ℹ 凭证需求

The skill requests no environment variables and only a local config path. It stores card numbers and PINs in ~/.config/helmet/config.json and session cookies under ~/.config/helmet/sessions. This is proportionate to the stated functionality, but these are sensitive credentials — their presence is expected but worth considering before installing.

✓ 持久化与权限

The skill is not always-enabled and does not request elevated platform privileges. It does allow the agent to call the CLI (the platform default allows autonomous invocation); combined with stored credentials, that means the agent could perform account actions (renewals, holds) if permitted—this is consistent with the skill's purpose.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv0.3.12026/4/13

NULL

● 无害

安装命令

点击复制

官方npx clawhub@latest install helmet

镜像加速npx clawhub@latest install helmet --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库