📦 SatGate — API经济防火墙
v0.1.2在终端里一站式管理 API 的经济防火墙:铸币、消费追踪、吊销代理、预算强制,与 lnget 服务端完美配合。
0· 804·1 当前·1 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to be what it claims — a CLI to manage SatGate gateways — but there are a few practical risks and transparency issues to consider before installing:
- Verify the origin: the installer pulls a binary from GitHub (SatGate-io/satgate-cli). Visit that repository and confirm the release artifacts and SHA256SUMS match what you expect before running install.sh.
- Prefer verified installs: if checksums are missing or your system lacks sha256 tools, the installer will skip verificatio...详细分析 ▾
ℹ 用途与能力
Name/description, SKILL.md, and included scripts all describe a CLI that mints/revokes tokens and talks to a SatGate gateway — that aligns. However, the registry metadata declares no required environment variables or primary credential while the README and configure.sh clearly expect admin/session tokens and several SATGATE_* env vars. The omission reduces transparency and makes automated platform checks impossible.
✓ 指令范围
SKILL.md and the scripts keep to the stated domain: installing the satgate binary, configuring ~/.satgate/config.yaml, and calling the gateway (satgate ping/status). There are no instructions to read unrelated system files or exfiltrate data. The SKILL.md suggests installing an unrelated plugin (lnget) for client-side payments, but that is a documented integration, not hidden behavior.
ℹ 安装机制
install.sh downloads a prebuilt binary from GitHub releases (https://github.com/SatGate-io/satgate-cli), which is a standard release host — good. The script attempts to verify SHA256SUMS but explicitly skips verification if checksums are missing or system tools are absent; in that case the binary is installed without a verified checksum. The installer may use sudo to write to /usr/local/bin. These are reasonable choices but carry the usual risks of installing network-downloaded binaries without enforced verification.
⚠ 凭证需求
The skill manifest lists no required env vars or primary credential, yet SKILL.md and configure.sh expect and store sensitive values (admin_token, session_token, bearer_token, tenant) in ~/.satgate/config.yaml or via SATGATE_* env vars. Requiring admin/session tokens is reasonable for a gateway management CLI, but the manifest's omission is a transparency problem: the platform won't warn users or gate secret provisioning, and automated checks can't reason about needed privileges.
✓ 持久化与权限
The skill does not request always:true, does not modify other skills, and only writes its own user-scoped config (~/.satgate/config.yaml) and can place a binary in standard locations (/usr/local/bin). These behaviors are typical for a CLI installer; expected privileges (filesystem write for installation, network access to the gateway) are within scope.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.22026/2/12
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install satgate
镜像加速npx clawhub@latest install satgate --registry https://cn.longxiaskill.com