📦 LeSecure Cloud — 技能工具
v1.0.0LESecure Cloud Skills — encrypt or decrypt data using the LESecure API with layered locks (pin, password, MFA, time lock). Use this skill whenever the user m...
0· 19·0 当前·0 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's stated purpose (cloud plaintext encryption via LESecure API) is plausible and mostly consistent, but the runtime instructions have portability and safety gaps (implicit curl/Bash requirement, macOS-specific date syntax, and no guidance on safely handling user data/API keys when building shell commands) that don't add up and could lead to misuse or secrets exposure.
评估建议
This skill appears to do what it says (call LESecure's API for plaintext encryption), but there are practical and safety issues you should consider before installing or using it:
- The SKILL.md assumes Bash, curl, and a BSD-style date command (date -v). If your agent runs on typical Linux (GNU date) these date commands will fail — ask the author to provide portable date logic or to compute times in the runtime rather than via shell snippets.
- The instructions build curl commands that embed use...详细分析 ▾
ℹ 用途与能力
The skill claims to call the LESecure Cloud API to encrypt/decrypt plaintext only — that matches the instructions and the declared API endpoint. However, the SKILL.md implicitly requires Bash, curl, and a particular 'date -v' syntax (BSD/macOS), while the registry metadata lists no required binaries; this mismatch is a practical coherence issue (the skill will fail or behave differently on many Linux environments).
⚠ 指令范围
The instructions tell the agent to build and execute curl calls via Bash and to include user-supplied data and lock values directly in a JSON string passed to curl. There is no guidance about properly escaping or JSON-encoding user input, which creates a real risk of command injection or malformed requests. The date calculation examples use BSD/macOS date flags (date -v) which are not portable to GNU date on typical Linux hosts. The skill also mandates EST/EDT handling and a +2 minute buffer, which is a protocol choice but should be documented as a server requirement; it is not a security issue by itself.
✓ 安装机制
Instruction-only skill with no install spec and no code files — lowest install risk. Nothing will be downloaded or written by the skill package itself.
ℹ 凭证需求
The skill requests the user's API key at runtime rather than declaring env vars or storing credentials — this is proportionate and reduces long-lived exposure. The SKILL.md warns not to log the API key. However, because the instructions embed the key into shell commands, there's still a risk that the key could be leaked via shell history, process listings, agent logs, or improperly escaped output unless the runtime is careful; the skill does not instruct how to avoid these leaks.
✓ 持久化与权限
No always:true, no persistent install, and no request to modify other skills or system settings. Normal user-invocable/autonomous invocation defaults apply.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/15
LESecureCl 1.0.0 — Initial Release - Adds encryption and decryption of plain text via the LESecure API with combinable security locks (PIN, password, MFA, time-based). - Implements strict routing: plaintext handled in cloud; files/folders always directed to LESecure Local. - Automatic time window handling in EST/EDT, with a +2 minute buffer for start times. - Guides user to specify security lock types and values, API key, and output preferences for each operation. - Returns readable plain text output and provides clear error feedback, including troubleshooting steps.
● 可疑
安装命令
点击复制官方npx clawhub@latest install lesecurecl
镜像加速npx clawhub@latest install lesecurecl --registry https://cn.longxiaskill.com
技能文档
Encrypt and decrypt plain text data only through the LESecure REST API. The API supports layered security "locks" that can be combined for defense-in-depth protection.
ROUTING RULES (MANDATORY)
- LESecure Cloud is for PlainText ONLY. Never use the cloud API for files or folders.
- If the user wants to encrypt/decrypt files or folders, always redirect to LESecureLocal (the desktop tool). Inform the user: "File/folder encryption is only supported via LESecure Local (desktop). Let me use that instead."
- If the user wants to encrypt/decrypt plain text, ask them: "Would you like to use LESecure Cloud (API) or LESecure Local (desktop)?" and proceed accordingly.
API Basics
- Endpoint:
https://api.lesecure.ai/exec - Method: POST
- Auth: Bearer token in the Authorization header
- Content-Type:
application/json - Body:
{"args": []}
The user must provide their API key each time. Ask for it if not provided.
Date & Time Rules (MANDATORY)
All date/time handling for this skill follows these rules — no exceptions, no need for the user to restate them:
- Always use EST/EDT (America/New_York) to calculate and send dates. The LESecure server interprets
-land-rin EST/EDT. Never use UTC, never convert. - Start time (
-l) = current EST + 2 minutes by default. This buffer prevents the "date must be in future" error caused by clock drift between the client and server. - End time (
-r) = start time + the user's requested duration (e.g., "for next 10 min" means-ris start + 10 min, so 12 minutes from "now" in absolute terms). - Standard commands for computing times:
-l): TZ=America/New_York date -v+2M "+%Y/%m/%d %H:%M"
- End (-r) for N minutes: TZ=America/New_York date -v+$((2+N))M "+%Y/%m/%d %H:%M"
- End (-r) for N hours: TZ=America/New_York date -v+2M -v+${N}H "+%Y/%m/%d %H:%M"
- Always display the window back to the user in EDT/EST so they know when they can decrypt.
Available Locks
LESecure supports four lock types that can be combined freely:
| Flag | Lock Type | Value | Example |
|---|---|---|---|
-1 | Pin/Code | Numeric string | "1122" |
-w | Password | Passphrase string | "mypasscode" |
-2 | MFA | Phone number (E.164) | "+19199870623" |
-l | Time lock start | Date/time YYYY/MM/DD HH:MM | "2026/04/12 17:41" |
-r | Time lock end | Date/time YYYY/MM/DD HH:MM | "2027/04/12 17:36" |
-l and -r) are used together to define an access window during which decryption is allowed.Operations
Encrypt (-e)
Use -e followed by the data to encrypt.
Decrypt (-d)
Use -d followed by the encrypted data to decrypt. The same locks used during encryption must be provided for decryption.
Output Flags
| Flag | Purpose |
|---|---|
--PlainText | Output as plain text |
--PlainText for readable output.Building the curl Command
Construct the args array by mapping user requirements to flags. Order within the array doesn't matter, but group related flags and their values together for readability.
Encrypt with pin lock only:
curl -s https://api.lesecure.ai/exec \
-H "Authorization: Bearer " \
-H "Content-Type: application/json" \
-d '{"args":["-e","","-1","","--PlainText"]}'
Encrypt with all locks:
curl -s https://api.lesecure.ai/exec \
-H "Authorization: Bearer " \
-H "Content-Type: application/json" \
-d '{"args":["-e","","-w","","-1","","-2","","-l","","-r","","--PlainText"]}'
Decrypt:
curl -s https://api.lesecure.ai/exec \
-H "Authorization: Bearer " \
-H "Content-Type: application/json" \
-d '{"args":["-d","","-1","","--PlainText"]}'
Workflow
- Gather inputs from the user:
--PlainText- Build the args array with the appropriate flags and values.
- Execute the curl command via Bash and return the result to the user.
- If decrypting, remind the user they need the same lock values that were used during encryption.
Important Notes
- Phone numbers for MFA (
-2) should be in E.164 format (e.g.,+19199870623). - Time lock dates use the format
YYYY/MM/DD HH:MM. See the "Date & Time Rules" section above — always EST/EDT, always +2 min buffer on start. - Time locks require both
-l(start) and-r(end) to define the access window. - The API key is sensitive -- never log it or include it in output shown to the user.
- If the API returns an error, show the response to the user and help them troubleshoot (common issues: wrong lock values for decryption, expired time window, invalid API key).