Query and manage EVE Online characters via the ESI (EVE Swagger Interface) REST API. Use when the user asks about EVE Online character data, wallet balance,...
Security Analysis
high confidenceThis skill's code, instructions, and requested configuration are consistent with an EVE Online ESI integration: it stores tokens locally and optionally sends user-configured alerts to Telegram/Discord; nothing in the bundle appears disproportionate or unrelated to that purpose.
Name and description match the included scripts and docs: the bundle implements OAuth2 PKCE authentication, token management, ESI query helpers, config schema/validation, and optional notification channels. There are no unrelated credentials or binaries requested.
Runtime instructions and scripts explicitly read/write a local token file (~/.openclaw/eve-tokens.json) and instruct the user to run auth_flow.py / get_token.py / esi_query.py. Optional integrations (Telegram/Discord) will transmit alerts if the user configures them. This is expected for the stated functionality, but installing/running will create and use local credential files and may send character data to user-specified notification endpoints.
No install spec provided (instruction-only install), and all code is Python stdlib-based. There are no remote downloads or execution of code from unknown URLs in the skill package itself. README suggests cloning a GitHub repo for installation; the registry metadata shows 'source: unknown' and no homepage—this provenance gap is a minor caution but not an immediate functional risk.
The skill does not require environment variables to operate (manifest lists none), and SKILL.md documents several optional/sensitive env vars (EVE tokens, TELEGRAM_BOT_TOKEN, DISCORD_WEBHOOK_URL). Those env vars are proportional to optional notification functionality and token convenience. Users should avoid embedding secrets in config files and prefer $ENV: references as intended.
The skill does not request always:true or other elevated persistence. It stores refresh tokens locally in ~/.openclaw/eve-tokens.json (auth_flow.py sets chmod 600). Autonomous invocation is allowed by default but is typical for OpenClaw skills and not combined with any broad or unexplained privileges here.
Guidance
This skill appears to do what it claims (manage/query EVE via ESI). Before installing: 1) Verify the skill's origin (registry metadata has no homepage; README references a GitHub repo — confirm that repo and author are trustworthy). 2) Review the scripts yourself (they are plain Python and use only stdlib). 3) Keep tokens out of checked-in config files—use $ENV: variables as the example does. 4) Be aware that tokens are stored on disk at ~/.openclaw/eve-tokens.json; auth_flow.py sets file permissions to 600 but you should still protect that file and the machine. 5) Only configure Telegram/Discord credentials if you accept that selected character data and alerts will be posted to those external services. 6) When authenticating on a remote server, follow the documented SSH-tunnel workflow so your browser and callback are local and secure.
Latest Release
v1.0.5
eve-esi 1.0.5 changelog - Updated documentation to use a generic placeholder for SSH tunnel instructions, changing the example user and host to "user@your-server" instead of a specific example. - No changes to code or environment variables; only documentation was revised for clarity and privacy.
Popular Skills
Published by @burnshall-ui on ClawHub
