📦 Wei — 魏
v1.0.0交叉研究 通过并行查询多个 LLM 并以裁判式合成交叉验证研究答案,减少幻觉并暴露模型分歧,用于……
0· 15·0 当前·0 累计
by 下载技能包
最后更新
2026/4/19
安全扫描
OpenClaw
可疑
medium confidenceThe skill's code and docs mostly match its stated purpose (multi‑model cross‑validation), but there are a few inconsistencies and risky instructions you should review before installing (missing declared env vars, remote installer invocation, and prompt‑injection strings surfaced by a static scan).
评估建议
What to check before installing or running this skill:
1) Registry vs docs: The skill really needs API keys (OPENROUTER_API_KEY and/or DASHSCOPE_API_KEY) even though the registry metadata lists none — don't assume no credentials are required. Provide only least‑privilege keys.
2) Remote installer caution: SKILL.md recommends running a remote install script (curl https://bun.sh/install | bash). Avoid running arbitrary bootstrap scripts on sensitive machines — prefer to install Bun from your dist...详细分析 ▾
ℹ 用途与能力
The skill actually implements multi‑model querying and judge‑based synthesis (clients for OpenRouter, Bailian/DashScope, and an OpenAI‑compatible client are present), which aligns with the description. However, the published registry metadata declared no required environment variables or primary credential, while SKILL.md and config.json clearly expect API keys (OPENROUTER_API_KEY and/or DASHSCOPE_API_KEY). That mismatch is an incoherence: the skill will need external model API keys but the registry listing does not advertise them.
ℹ 指令范围
SKILL.md and the scripts instruct the agent to read config.json and prompt templates, query remote model endpoints, and write outputs to intermediate/ and reports/ files (expected). The docs instruct creating a .env file to store API keys (OPENROUTER_API_KEY, DASHSCOPE_API_KEY) — those are relevant to functionality but are sensitive. The instructions also include running a remote install script (curl https://bun.sh/install | bash), which expands the scope of runtime actions beyond the repo code. The agent implementation includes input sanitization against prompt‑injection patterns, and model outputs are saved locally (intermediate files) which could contain user‑supplied or model‑returned sensitive data.
⚠ 安装机制
There is no formal install spec in the registry (instruction‑only), but SKILL.md instructs users to run a remote bootstrapper (curl https://bun.sh/install | bash) to install Bun, then run bun install. Running an arbitrary remote install script is higher risk than using a reviewed package manager invocation. The Node dependencies are limited (axios, dotenv), which is proportional, but the remote install step is a notable risk that the user should not run blindly.
ℹ 凭证需求
The only sensitive environment variables referenced are OPENROUTER_API_KEY and DASHSCOPE_API_KEY, which are appropriate for a tool that calls OpenRouter and DashScope/Bailian. That is proportionate to its purpose. However, the registry metadata did not declare these required env vars; SKILL.md does — the inconsistency could mislead users into thinking no credentials are needed. The code will read config.json and expect api_key_env names there; ensure you only provide least‑privilege keys and do not store unrelated secrets in .env.
✓ 持久化与权限
The skill does not request always:true or other elevated platform privileges. It writes reports and intermediate model outputs to local project directories (intermediate/, reports/) and does not appear to modify other skills or global agent configuration. Autonomous invocation is allowed (platform default) but is not combined with unusually broad credentials or persistent privileges.
⚠ scripts/clients/bailian.ts:136
Environment variable access combined with network send.
⚠ scripts/clients/openai_compliant.ts:152
Environment variable access combined with network send.
⚠ scripts/clients/openrouter.ts:120
Environment variable access combined with network send.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/19
wei-cross-research v1.0.0 - Initial release. - Enables robust cross-validation of research answers by querying multiple large language models (LLMs) in parallel and using a judge model to synthesize results. - Highlights model disagreement for high-stakes or ambiguous questions, reducing hallucination risk. - Supports role-based domain specialization (e.g., financial, technical, social); judge model adapts synthesis to query domain. - Offers domain-specific financial analysis format covering base, bull, bear scenarios and key risks. - Flexible configuration via roles in config.json; environment variable support for model provider keys (OpenRouter, DashScope).
● 无害
安装命令
点击复制官方npx clawhub@latest install wei-cross-research
镜像加速npx clawhub@latest install wei-cross-research --registry https://cn.longxiaskill.com