by 安全扫描
OpenClaw
安全
high confidenceThe skill's files, env requirements, and runtime instructions are coherent with its stated purpose (calling LLM Signal agent plan/status endpoints), though there are a few operational privacy risks to be aware of.
评估建议
This package appears to do what it says: call your LLM Signal endpoints and return action plans. Before installing, consider the following: (1) the scripts embed your API key in the JSON payload and in the curl command — that means the key (and any persisted run history) may be stored on the remote service and the key could be exposed in local process lists or shell history. Prefer sending only an authentication header and avoid including the key in request bodies if the service accepts header a...详细分析 ▾
✓ 用途与能力
Name/description match the requested resources: the skill talks to LLM Signal agent endpoints and requires LLMSIGNAL_BASE_URL, LLMSIGNAL_SITE_ID, and LLMSIGNAL_API_KEY and curl/bash/sh to run the included scripts. Required binaries and env vars are proportional to the declared purpose.
ℹ 指令范围
SKILL.md and prompts direct the agent to call /api/agent/v1/plan and /api/agent/v1/status and to persist runs. The instructions do not request unrelated files or credentials. Two operational issues: (1) the templates and scripts include the API key in the JSON body (and also send it as a header), and (2) executing curl with the API key embedded in the command line can expose the key in process lists or shell history. Both are scope-consistent but increase secret exposure risk.
✓ 安装机制
No install spec is present (instruction-only + bundled scripts). No downloads or external install sources are used, which minimizes supply-chain risk.
ℹ 凭证需求
The declared environment variables are strictly the service base URL, site id, and API key — appropriate for an API-integration skill. However, the API key is duplicated into the request body and sent with persist=true, which means the key (and run content) may be stored on the remote service; this increases exposure beyond typical header-only authentication and should be justified or removed.
✓ 持久化与权限
always is false and the skill is user-invocable. Persisting run history is a declared behavior (persist=true) that applies to the remote service; the skill does not request elevated platform privileges or modify other skills' configs.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.02026/3/7
Initial release of llm-signal-geo-analyst. - Enables deterministic GEO action plan fetching, site health checks, and execution/review of OpenClaw agent workflows. - Supports automatic execution of safe actions, while routing manual/assist actions for human approval. - Integrates with LLM Signal agent APIs; requires specific environment variables and key binaries (`curl` or PowerShell). - Provides clear output format for action recommendations. - Compatible only with Growth and Pro plans.
● 无害
安装命令
点击复制官方npx clawhub@latest install llm-signal-geo-analyst
镜像加速npx clawhub@latest install llm-signal-geo-analyst --registry https://cn.longxiaskill.com镜像同步中
技能文档
Use this skill to operate LLM Signal agent flows from OpenClaw.
必填 environment
LLMSIGNAL_BASE_URL(示例:https://www.llmsignal.app)LLMSIGNAL_SITE_IDLLMSIGNAL_API_KEY
Execution policy
- Call
POST /api/agent/v1/plan之前 recommending actions. - Automatically execute 仅
auto_safeactions. - 路由
manual和assistactions 到 human approval. - Never 输出 API keys 或 secrets.
Run plan 请求
{baseDir}/scripts/fetch-plan.sh
Run status 请求
{baseDir}/scripts/fetch-status.sh
输出 格式 对于 每个 recommended action
Return:
titlepriorityreasonexact stepscommand/diff scaffold(如果 present)approval 必填(是对于 manual/assist,否对于 auto_safe)
Notes
- Agent API access limited 到 Growth 和 Pro plans.
- 使用
persist=真在...中 plan calls 到 store run history 和 outcomes.