by 安全扫描
OpenClaw
安全
high confidenceNULL
评估建议
This skill appears to do exactly what it says: it issues GET requests to RevenueCat using the RC_API_KEY. Before installing, confirm the skill's origin (source/homepage are unknown) and only provide a least-privilege RevenueCat API key (a v2 secret scoped to the needed project). Treat RC_API_KEY as sensitive: rotate/revoke it if the skill is removed or if you suspect misuse. If you need stricter control, test the skill with a throwaway or read‑only API key and avoid exposing production keys unti...详细分析 ▾
✓ 用途与能力
Name/description (RevenueCat metrics, customers, docs) match the delivered files: a small bash wrapper that calls api.revenuecat.com and a large set of API reference documents. Required binary (curl) and the single env var (RC_API_KEY) are expected for this purpose.
✓ 指令范围
SKILL.md instructs the agent to use scripts/rc-api.sh to call RevenueCat API endpoints and to consult included reference files or the public docs. The script only checks RC_API_KEY and performs a GET to https://api.revenuecat.com/v2<endpoint>. There are no instructions to read unrelated local files, other env vars, or to send data to third‑party endpoints.
✓ 安装机制
No install spec (instruction-only plus a tiny included script). Nothing is downloaded from external, untrusted URLs and no archive extraction or package installation is requested — low install risk.
✓ 凭证需求
Only RC_API_KEY is required and is exactly the credential needed to call RevenueCat APIs. The skill does not request unrelated secrets or config paths.
✓ 持久化与权限
always is false and the skill does not request persistent/system-wide privileges or modify other skills. It will only use RC_API_KEY when invoked.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.32026/2/5
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install revenuecat
镜像加速npx clawhub@latest install revenuecat --registry https://cn.longxiaskill.com