首页 / 技能 / Permissions Broker — 权限代理

📦 Permissions Broker — 权限代理

v1.0.9

通过 Telegram 审批网关调用 Permissions Broker 服务,安全读取受控 Google APIs(如 Drive、Docs)数据,实现权限隔离与审批流。

0· 1.3k·0 当前·0 累计
stephancill 头像by @stephancill
API工具云服务安全工作流文件处理
下载技能包
最后更新
2026/2/26
0
安全扫描
VirusTotal
无害
查看报告
OpenClaw
安全
medium confidence
NULL
评估建议
This skill appears to do what it says: it helps the agent create brokered upstream API requests that the user approves in Telegram. Before installing or storing any broker key: 1) Verify you trust the broker service hostname (the docs refer to https://permissions-broker.steer.fun) and the Telegram bot that issues keys. 2) Prefer session-only keys if you do not want persistent agent access; only store PB_API_KEY in the agent's secret store after explicit consent. 3) Be aware the agent is told to ...
详细分析 ▾
用途与能力
The SKILL.md describes a broker/proxy that creates upstream requests and obtains user approval via Telegram—everything the skill asks the agent to do (create proxy request, poll for approval, call execute) matches that purpose. It does not request unrelated credentials or system access.
指令范围
Instructions are explicit about building POST /v1/proxy/request bodies, polling for approval, and calling execute. They warn not to paste API keys into logs. A potentially ambiguous instruction is 'parse/persist what you need on the first successful execution' — that could be interpreted to persist sensitive upstream data without explicit re-consent. Also the SKILL.md tells the agent to ask the user to paste the PB_API_KEY from Telegram and optionally store it; this is within scope but requires explicit user consent in practice.
安装机制
Instruction-only skill with no install steps, no code files, and no binaries requested. This is low-risk from an install/execution perspective.
凭证需求
No required env vars are declared, but the skill instructs storing a broker API key (PB_API_KEY) in the agent's secrets store if the user consents. That is proportional to the purpose. There are no requests for unrelated secrets or host-level config.
持久化与权限
always:false (normal). The skill permits storing a PB_API_KEY for reuse if the user agrees; combined with autonomous invocation this would allow the agent to create broker requests without re-prompting the user (approval still happens in Telegram). This behavior is expected for this kind of broker but is a privacy/abuse consideration the user should understand.
安全有层次,运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv1.0.92026/2/9

NULL

无害

安装命令

点击复制
官方npx clawhub@latest install permissions-broker
镜像加速npx clawhub@latest install permissions-broker --registry https://cn.longxiaskill.com
数据来源ClawHub ↗ · 中文优化:龙虾技能库