by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's instructions match a Turso CLI management purpose, but the runtime guidance tells the agent to fetch-and-run a remote installer (curl | bash) and to create/manage auth tokens (including non-expiring tokens), which is risky and not fully reflected in the metadata.
评估建议
This instruction-only skill looks functionally correct for managing Turso, but exercise caution before installing or running its commands:
- Avoid running curl ... | bash from unknown hosts. Prefer package managers (brew) or verified release binaries (official GitHub releases) and inspect install scripts before executing.
- Be careful with auth tokens: do not create or expose non-expiring tokens unless strictly necessary; treat tokens as secrets and store them securely.
- Because this skill is i...详细分析 ▾
ℹ 用途与能力
Name/description and the listed commands (db, group, org, plan, tokens) are coherent for a Turso CLI helper. The skill does not request unrelated credentials or config paths in metadata.
⚠ 指令范围
SKILL.md instructs running installation and authentication commands and obtaining tokens (turso auth login; turso auth token). While these are expected for a CLI helper, the instructions include creating non-expiring tokens and retrieving auth tokens—sensitive operations that an agent could misuse or exfiltrate if given access.
⚠ 安装机制
Although the frontmatter lists a brew install command, the Linux/WSL install guidance uses curl -sSfL https://get.tur.so/install.sh | bash which downloads and executes a remote script. Piping arbitrary install scripts to a shell is a high-risk pattern (remote arbitrary code execution). The registry metadata had no formal install spec despite the SKILL.md containing installation instructions, which is an inconsistency to note.
ℹ 凭证需求
The skill declares no environment variables or credentials in metadata (proportionate). However, its runtime instructions explicitly direct the user/agent to obtain auth tokens and even create non-expiring tokens—these are sensitive secrets and creation of long-lived tokens increases risk. The skill does not justify why non-expiring tokens would be necessary.
✓ 持久化与权限
The skill is not marked always:true and does not request any persistent system-wide privileges in metadata. It is user-invocable only, which limits autonomous persistent presence.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/11
Initial release of the Turso skill. - Manage Turso SQLite databases via CLI: create, list, destroy, inspect, and query. - Supports group and organization management through dedicated commands. - Token management and authentication included. - Provides setup instructions for macOS and Linux/WSL. - Always use `--output json` flag for programmatic access where supported.
● 无害
安装命令
点击复制官方npx clawhub@latest install turso
镜像加速npx clawhub@latest install turso --registry https://cn.longxiaskill.com