by 安全扫描
OpenClaw
安全
high confidenceNULL
评估建议
This skill is internally consistent with its description: it queries and invokes MCPMarket tools via the public API. Before installing, consider: (1) the skill will run an OAuth device flow and store a bearer token at ~/.uno/token — review what scopes the token grants and whether you trust https://mcpmarket.cn; (2) the registry metadata did not list the config path or the need for curl (the SKILL.md requires curl and writes to ~/.uno), so expect the skill to create/read that file; (3) invoking t...详细分析 ▾
✓ 用途与能力
The name/description (search + invoke many tools via REST) matches the SKILL.md: it describes search-tools, call-tool, and related endpoints on https://mcpmarket.cn. There are no unrelated credentials or surprising binaries requested.
⚠ 指令范围
The instructions explicitly instruct the agent to create ~/.uno, write a bearer token to ~/.uno/token, and read that file for subsequent calls. The registry metadata did not declare any required config paths, so the SKILL.md reads/writes a user-home path that is not declared in the manifest. This is functionally legitimate for storing an API token but should be noted because the skill will persist a token on disk.
✓ 安装机制
There is no install spec and no code files — the skill is instruction-only and relies on curl. This is low-risk from an install standpoint (nothing is downloaded/executed by the skill itself).
ℹ 凭证需求
The skill declares no required environment variables or primary credential, yet its runtime flow obtains and persists an access token via an OAuth device flow. Requesting and storing a single bearer token is proportional to the stated purpose, but the token file and OAuth flow are not represented in the registry metadata (no primaryEnv, no required config path).
✓ 持久化与权限
always is false and the skill does not request permanent platform-level privileges. The only persistence is the token file in ~/.uno (its own directory). The skill does not modify other skills or system-wide agent settings.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv3.0.02026/3/15
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install uno
镜像加速npx clawhub@latest install uno --registry https://cn.longxiaskill.com