← Back to Skills Marketplace
CapForge
by
ldx-person
· GitHub ↗
· v1.3.3
· MIT-0
141
Downloads
0
Stars
0
Active Installs
6
Versions
Install in OpenClaw
/install capforge
Description
Austin Liu|从 GitHub 开源项目中提取“可复用能力资产”:扫描代码结构→产出 capability.md/transform-plan.md→域归类→格式校验(CapForge 本体不做 LLM 分析)
README (SKILL.md)
CapForge(铸能)
Austin Liu:从 GitHub 开源项目中锻造可复用的能力资产。
安全与合规声明(重要)
本 skill 默认只读(read-only):只执行结构扫描、文档生成、域归类、格式校验与安全的仓库同步。
- 不会自动执行代码改造/重构
- 不会执行隐藏命令、
curl | sh、或npx @latest这类不可审计的远程执行 - License 合规仅做提醒与门禁,不提供法律意见
运行前确认(降低误操作风险)
在运行任何命令前,你必须先把将要执行的命令逐条展示给用户,并获得用户明确确认后再执行(尤其是 git clone / git pull 等会写入磁盘的操作)。
如果用户明确要求执行改造/重构,请在执行前二次确认,并遵循 CapForge 的 license 门禁策略。
你会得到什么
CapForge 的职责是纯代码结构扫描(不调用 LLM)并产出可被 Agent / 人类阅读的 Markdown;你(或 OpenClaw/Clawdbot)再基于扫描结果把能力"资产化":
capability.md:可复用能力的结构化说明(接口、输入输出、关键文件等)domains.md:跨项目能力域归类摘要validation-report.md:capability.md 结构校验报告
适用场景(核心卖点)
- 你想快速"看懂一个开源项目能复用什么",并沉淀为可检索的能力资产(
capability.md)。 - 你想把多个开源 Agent 项目做横向对比,快速选型/组合能力(配合
domains.md)。
工作空间约定(重要)
CapForge 默认将所有克隆仓库与输出统一放在同一个工作空间:
- 默认:
~/.capforge/repos/:克隆的项目output/:扫描/能力/计划等产物
你可以通过任意一种方式覆盖:
CAPFORGE_WORKSPACE=/path/to/wscapforge --workspace /path/to/ws \x3Ccommand>
推荐流程(默认只读)
当用户给你一个 GitHub 项目链接时,按顺序执行:
Step 1) Clone + Scan
capforge import \x3Cgithub-url>
capforge scan \x3Cproject-name>
\x3Cproject-name>一般是仓库名(URL 最后一段)。
Step 2) 生成 capability.md(你来写,CapForge 不写)
先让 CapForge 生成扫描数据(Markdown):
capforge describe \x3Cproject-name>
它会写入(默认工作空间):
~/.capforge/output/capabilities/\x3Cproject-name>.md
然后你需要基于:
- 扫描数据
- 仓库源码(
~/.capforge/repos/\x3Cproject-name>/...) 生成一个"真正的能力描述"并覆盖写回output/capabilities/\x3Cproject-name>.md(或另存为capability.md再统一收集)。
capability.md 必须包含这些章节:
## 概述## 技术栈## 核心能力(建议 5-10 个能力点,包含真实接口/函数签名与关键文件路径)## 集成指南## 改造文件
Step 3) 生成 transform-plan.md(你来写,CapForge 只给扫描数据)
npx capforge transform \x3Cproject-name>
它会写入:
~/.capforge/output/transform-plans/\x3Cproject-name>.md
然后你需要把该文件改写为"真正的改造计划",建议结构:
# \x3CProject> 改造计划
## 总体策略
## 改造任务
### [high] Task 1: \x3Ctitle>
- **目标文件:** \x3CtargetFile>
- **动作:** extract|abstract|dehardcode|decouple|adapter
- **依赖:** \x3Ctask ids>
- **描述:** \x3Cdescription>
- **验收标准:** \x3CacceptanceCriteria>
Step 4) 归类 domains.md
capforge classify-domains
输出:
~/.capforge/output/domains.md
Step 5) 校验格式
capforge validate
输出:
~/.capforge/output/validation-report.md
同步更新(检查 GitHub 是否有新变更)
当用户说“更新项目 / 同步最新 / 检查更新”时,执行安全的增量更新(默认 ff-only,不会覆盖本地改动):
# 更新单个项目
capforge update \x3Cproject-name>
# 更新全部已导入项目
capforge update --all
如果检测到本地改动(dirty working tree),CapForge 会默认跳过并提示原因(避免误伤本地修改)。
Usage Guidance
This skill appears to do what it says (scan GitHub projects and produce markdown artifacts) but has packaging and documentation inconsistencies you should resolve before installing. Steps to reduce risk:
- Do not run 'npx capforge' blindly. Prefer installing a vetted package from a trusted source or using a checked-out release tarball.
- Verify the npm package 'capforge' and its GitHub repository (check maintainer, recent commits, and release assets). Confirm the repo owner matches the claimed homepage/author.
- Inspect the installed package contents (or the repo) locally before running commands. Look for postinstall scripts or unexpected network calls.
- Keep the workspace path (~/.capforge) isolated and review any cloned repositories before allowing further actions. Consider setting CAPFORGE_WORKSPACE to a disposable directory for initial testing.
- When the skill prompts to run commands (git clone/pull), require explicit user confirmation every time and review the exact commands shown.
If you want higher assurance, ask the skill author for a signed release or a pinned version/source tarball and a clear explanation of the author/homepage mismatch; without that the packaging inconsistencies keep this at 'suspicious.'
Capability Analysis
Type: OpenClaw Skill
Name: capforge
Version: 1.3.3
The capforge skill is a utility designed to scan GitHub repositories and generate structured documentation (capability.md). It demonstrates good security practices by explicitly instructing the AI agent to seek user confirmation before executing commands and declaring its local state directory (~/.capforge) transparently. No indicators of data exfiltration, malicious code execution, or harmful prompt injection were found in SKILL.md or the associated metadata.
Capability Assessment
Purpose & Capability
The SKILL.md behavior (scan GitHub repos, produce capability.md/transform-plan.md, operate in ~/.capforge) aligns with the stated purpose. However, registry-level metadata reported no required binaries/envs, while the embedded SKILL.md declares required binaries (git, node, capforge) and a node package install. Also author/branding references (Austin Liu) do not clearly match the homepage repo owner (ldx-person). These inconsistencies are signs of sloppy packaging or copy-paste, not necessarily malicious, but they reduce trust.
Instruction Scope
Instructions are narrowly scoped to cloning, scanning, describing, classifying, validating, and doing safe git updates in a single workspace (~/.capforge). The SKILL.md explicitly requires user confirmation before running disk-writing commands, which is good. However, examples inconsistently show 'npx capforge ...' (remote execution) despite an earlier statement that the skill avoids 'npx' and remote one-off execution; README also uses npx. This contradiction could result in accidental remote code execution if followed literally.
Install Mechanism
The registry package included no install spec, but SKILL.md contains an install specification that pulls a Node package named 'capforge' and installs a 'capforge' binary. Installing an npm package is a moderate-risk action because packages can execute scripts; the SKILL.md states this is done to avoid npx but examples still use npx. The skill does not include code files for review, so you would be relying on the third-party npm package and its upstream source (homepage points to GitHub 'ldx-person/capforge')—verify that package and repo before installing.
Credentials
The skill does not request environment variables, secrets, or access to unrelated credentials. It declares a single state directory (~/.capforge) where it will clone repos and write outputs; this is proportionate to its stated function.
Persistence & Privilege
always:false (no forced always-on). The skill writes to its own workspace (~/.capforge) and does not request system-wide config or other skills' settings. It also requires user confirmation before executing write operations by default, which limits persistent/privileged behavior.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install capforge - After installation, invoke the skill by name or use
/capforge - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.3.3
security: declare stateDirs and require explicit user confirmation before running commands
v1.3.2
security: make skill read-only by default; remove npx usage
v1.3.1
docs(skill): translate description to English
v1.3.0
feat: add update command, incremental import, deterministic pipeline runner
v1.2.0
feat(skill): add natural-language compare routing to /capforge
v1.0.0
Initial release
Metadata
Frequently Asked Questions
What is CapForge?
Austin Liu|从 GitHub 开源项目中提取“可复用能力资产”:扫描代码结构→产出 capability.md/transform-plan.md→域归类→格式校验(CapForge 本体不做 LLM 分析). It is an AI Agent Skill for Claude Code / OpenClaw, with 141 downloads so far.
How do I install CapForge?
Run "/install capforge" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is CapForge free?
Yes, CapForge is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does CapForge support?
CapForge is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created CapForge?
It is built and maintained by ldx-person (@ldx-person); the current version is v1.3.3.
More Skills