📦 RelayPlane — 运维观测层
v4.1.0专为 OpenClaw 设计的智能代理运维层,提供可观测性、治理与成本优化,并内置自动故障转移,零中断保障现有配置。
5· 2.8k·4 当前·4 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
medium confidenceThe skill's high-level purpose (an agent ops proxy) is plausible, but contradictory instructions and missing/unclear claims about installation, environment variables, and model-invocation raise concerns you should resolve before installing.
评估建议
Before installing or enabling this skill: 1) Do not blindly run `npm install -g` for packages you haven't audited — review the package source on the linked GitHub and the published npm package contents. 2) Clarify the README vs SKILL.md contradiction about setting provider BASE_URL env vars — if you point provider base URLs at a local proxy without a circuit-breaker, you risk a single point of failure and having all prompts routed through that process. 3) Confirm the telemetry defaults: test `re...详细分析 ▾
ℹ 用途与能力
The skill claims to be an optional local proxy that routes and governs LLM calls — that reasonably explains the npm CLI and proxy commands in SKILL.md. However, README.md and SKILL.md give inconsistent guidance (README recommends setting provider BASE_URL env variables to point at the proxy; SKILL.md explicitly warns against doing that). Also the registry metadata flags (model-invocable/defaults) differ from SKILL.md's internal metadata. These inconsistencies make it unclear which behavior the skill actually expects from an integrator.
⚠ 指令范围
SKILL.md asks you to install and run a global npm package and to run a local proxy which will receive agent traffic. The README explicitly shows examples that would 'hijack' all traffic by setting provider BASE_URL envs — a configuration the SKILL.md warns against. That contradiction is important: one configuration (env exports) will route all traffic through the proxy without an OpenClaw circuit-breaker/fallback and could cause a single point of failure or unexpected interception of all prompts. The instructions also describe process management and automatic spawning, but as an instruction-only skill there's nothing in the registry to verify how that integration is implemented.
ℹ 安装机制
There is no registry install spec, but SKILL.md instructs users to run `npm install -g @relayplane/proxy`. Installing a third-party global npm CLI is a normal delivery mechanism for a proxy/CLI but is moderate risk because it executes arbitrary code from npm. The skill provides links (npm, GitHub, docs), so you can inspect the package sources, but the registry itself does not include code to audit.
⚠ 凭证需求
The registry declares no required env vars or credentials, yet README and SKILL.md reference provider API keys and (contradictory) base URL environment variables (e.g., ANTHROPIC_BASE_URL, OPENAI_BASE_URL). The SKILL.md warns not to set BASE_URL envs, while the README demonstrates doing exactly that — this mismatch may lead users to accidentally configure the proxy in a way that intercepts all traffic or disables fallback behavior. Telemetry is mentioned (opt-out and --offline flags) but no explicit explanation of what anonymous data is sent is present.
⚠ 持久化与权限
Registry-level flags say model invocation is allowed by default, but SKILL.md metadata sets disableModelInvocation: true (not model-invocable). This mismatch is important: if the skill or CLI can be invoked autonomously (or run as a background process), it increases blast radius. The skill itself recommends installing a global CLI and a managed proxy which could run as a long-lived local process and optionally send telemetry. Those behaviors are expected for a proxy but should be clearly documented and controlled; the current docs are inconsistent about autonomous invocation and safe defaults.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv4.1.02026/2/4
v4.1: Budget enforcement, anomaly detection, per-subreddit voice defaults, x402 proxy, updated install commands, current proof points
● 可疑
安装命令
点击复制官方npx clawhub@latest install relayplane
镜像加速npx clawhub@latest install relayplane --registry https://cn.longxiaskill.com