🤖 UnifAI — 一键调用40+服务
v1.0.4UnifAI CLI 让你在命令行中快速搜索并调用去中心化网络上的 40+ 服务,涵盖 DeFi、代币数据、社交媒体、搜索、新闻、旅游、体育等场景,无需自建后端即可集成多元 API。
0· 436·0 当前·0 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
安全
high confidenceThe skill's requirements and instructions are coherent for a CLI that searches and invokes network services (including optional transaction signing); nothing requested is disproportionate to that purpose, but exercise caution with private keys and installing third‑party npm packages.
评估建议
This skill appears to do what it says: a CLI that finds and invokes network services, optionally signing blockchain transactions. Before installing: (1) verify the npm package and GitHub repository ownership/reputation; prefer npx if you don't want a global install; (2) do NOT put your private keys (SOLANA_PRIVATE_KEY, EVM_PRIVATE_KEY) in environment variables unless you trust the package and understand the risk — any process that can invoke the CLI (including autonomous agents) could sign trans...详细分析 ▾
✓ 用途与能力
Name/description (UnifAI CLI for discovering/invoking services) match the declared binary (unifai), required API key (UNIFAI_AGENT_API_KEY), and optional signing keys/RPCs. The npm package install (unifai-sdk) is a reasonable way to provide the CLI binary.
✓ 指令范围
SKILL.md instructs the agent to search then invoke via the unifai CLI and documents when signing is needed. It does not instruct the agent to read unrelated system files or exfiltrate data. It explicitly uses environment variables for keys and RPCs and warns to always inspect payload schemas before invoking.
ℹ 安装机制
Install uses the npm package 'unifai-sdk' to create the 'unifai' binary. This is an expected mechanism for a Node.js CLI, but npm packages are third‑party code—verify the package's authorship and audit the package if you don't trust the publisher. Using 'npx' avoids a global install.
ℹ 凭证需求
Only UNIFAI_AGENT_API_KEY is required which fits the described network API usage. The optional environment variables (SOLANA_PRIVATE_KEY, EVM_PRIVATE_KEY, RPC URLs) are justified for local transaction signing and RPC overrides, but they are highly sensitive — supplying private keys grants the CLI (and any agent that can invoke it) the ability to sign and submit on‑chain transactions.
✓ 持久化与权限
always:false and no required config paths or system modifications are requested. The skill does not request permanent/system‑wide privileges. Autonomous invocation is allowed by default, which is normal; the skill does not elevate privileges beyond its own CLI usage.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.42026/3/2
- Added a "metadata" section describing environment and installation requirements. - Removed author, license, and repository fields from SKILL.md. - No changes to CLI usage, commands, or functionality.
● 可疑
安装命令
点击复制官方npx clawhub@latest install unifai
镜像加速npx clawhub@latest install unifai --registry https://cn.longxiaskill.com