← Back to Skills Marketplace

openlist

Name: openlist
Author: okami-horo

by okami-horo · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

218

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install openlist-skill

Description

Execute safe file operations via OpenList API with preview-apply workflow for browsing, moving, renaming, deleting, offline tasks, and audit logging.

Usage Guidance

This skill appears to implement the OpenList preview-then-apply workflow and uses OPENLIST_BASE_URL and OPENLIST_TOKEN — which is appropriate — but the registry metadata incorrectly lists no required env vars. Before installing: (1) verify the skill's source/trustworthiness (homepage unknown, owner ID only), (2) ensure OPENLIST_TOKEN you provide is scoped minimally (not a full admin token if not needed), (3) understand that the script will read .env at the repository root and skills/openlist/.env (remove or audit those files first to avoid leaking unrelated secrets), (4) review the full openlist.py source to confirm there are no unexpected network calls or telemetry, and (5) run the skill in an isolated environment or with a token that has only the necessary permissions. If the publisher can correct the registry metadata and explicitly document .env reading and audit contents/redaction behavior, that would reduce concern.

Capability Analysis

Type: OpenClaw Skill Name: openlist-skill Version: 1.0.0 The OpenList skill is a well-architected tool for managing file operations via an API, featuring robust safety mechanisms such as a mandatory 'preview-and-apply' workflow and comprehensive plan validation. It includes proactive security measures like endpoint allowlisting, path normalization, and an audit logging system (scripts/openlist.py) that redacts sensitive credentials. The instructions in SKILL.md explicitly guide the AI agent to seek user confirmation and provide warnings for destructive actions, demonstrating a clear focus on safe and auditable operation.

Capability Assessment

ℹ Purpose & Capability

The name/description and the included Python CLI implement browsing, move/rename/delete previews and apply, offline tasks, and audit logging against an OpenList HTTP API — this is coherent with the stated purpose. However the published registry metadata claims no required environment variables while SKILL.md (and the code) require OPENLIST_BASE_URL and OPENLIST_TOKEN. That metadata mismatch is unexpected and should be corrected/clarified.

⚠ Instruction Scope

SKILL.md instructs the agent to run the bundled Python script and to read configuration from environment variables and from .env files at the repository root and skill folder. The code loads repo_root()/.env and skills/openlist/.env automatically; that can expose unrelated repository secrets if present. Apart from that, instructions limit network calls to the OpenList endpoints and require a preview/apply workflow for state changes which is appropriate. The .env reading behavior is a scope creep risk and should be explicitly acknowledged by the user.

✓ Install Mechanism

There is no install spec or external download. The skill is delivered with a Python script that will run in the agent environment. No remote install or URL-based code pull was observed, which lowers installation risk.

⚠ Credentials

Requiring OPENLIST_BASE_URL and OPENLIST_TOKEN is reasonable for a service client. But the registry metadata omits these requirements (declares none), creating an inconsistency. Additionally, the script will merge OS environment variables with .env files and therefore can read any env var present; automatic reading of repo .env files could surface unrelated secrets — this is disproportionate if users assume only the two OpenList variables will be accessed.

✓ Persistence & Privilege

The skill is not always: true and not requesting elevated platform privileges. It writes an audit JSONL to ~/.codex/openlist/audit.jsonl (declared in docs) but does not appear to modify other skills or global agent configuration. Autonomous invocation is enabled by default on the platform, which is normal; no extra persistence flags are present.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install openlist-skill
After installation, invoke the skill by name or use /openlist-skill
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

- Initial release of OpenList skill for AI Agent automation via OpenList HTTP API. - Supports common auditable and reversible file operations: browsing, moving, renaming, single-path delete, creating offline tasks, and task management. - Enforces a two-step preview + apply confirmation for all modifying actions; no support for overwrite, batch delete, or destructive operations. - All actions are fully logged with audit trails and security restrictions. - Detailed configuration, command list, and safe usage flows described in documentation.

Metadata

Slug openlist-skill

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is openlist?

Execute safe file operations via OpenList API with preview-apply workflow for browsing, moving, renaming, deleting, offline tasks, and audit logging. It is an AI Agent Skill for Claude Code / OpenClaw, with 218 downloads so far.

How do I install openlist?

Run "/install openlist-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is openlist free?

Yes, openlist is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does openlist support?

openlist is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created openlist?

It is built and maintained by okami-horo (@okami-horo); the current version is v1.0.0.

More Skills