by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to implement the described Reah card access flow and keeps network activity constrained to agents.reah.com, but there are a few things to verify before installing:
- Confirm provenance: the registry lists the source as unknown and SKILL.md/README point to a GitHub install; verify the skill's origin (official Reah repo) before adding it to an agent that will handle card keys.
- Metadata mismatch: SKILL.md requires REAH_AGENT_KEYS but the registry metadata you saw did not decla...详细分析 ▾
ℹ 用途与能力
The skill claims to retrieve masked card info from Reah and the included Node example implements a GraphQL call to https://agents.reah.com/graphql and local decryption — this is coherent with the description. However the package/registry metadata provided to the evaluator omits the REAH_AGENT_KEYS env var that the SKILL.md and README clearly require, creating an inconsistency between declared requirements and the runtime instructions.
ℹ 指令范围
SKILL.md limits network calls to the single Reah GraphQL endpoint, requires explicit user confirmation before reading REAH_AGENT_KEYS, and mandates masking/no-export of raw PAN/CVC. The example Node script enforces endpoint immutability and does the decryption locally. That scope is appropriate for the stated goal. Caveat: the example decrypts values in memory but does not show or save them — enforcement of masking/never-exposing card data is purely procedural (instructions), not enforced across the skill surface.
✓ 安装机制
This is an instruction-only skill with an included reference script; there is no install spec that downloads remote artifacts. README suggests an npx install from a GitHub repo, but no install spec in the registry package. No remote download URLs or installers were found in the provided files.
⚠ 凭证需求
The skill expects sensitive REAH_AGENT_KEYS to be available (and the SKILL.md metadata lists REAH_AGENT_KEYS). That is proportionate to the function, but the registry metadata earlier reported 'Required env vars: none' — this mismatch is concerning. Also the README instructs adding a JSON mapping to REAH_AGENT_KEYS in agent env. Ensure the skill will only read keys after explicit per-read confirmation as required by SKILL.md and that the agent/platform enforces that confirmation flow rather than silently reading environment variables.
✓ 持久化与权限
The skill does not request always:true, does not modify other skills or system settings, and has normal invocation privileges. Nothing requests elevated or permanent system presence.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.32026/4/8
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install reah-agent-card
镜像加速npx clawhub@latest install reah-agent-card --registry https://cn.longxiaskill.com