← Back to Skills Marketplace
Service Catalog
by
charlie-morrison
· GitHub ↗
· v1.0.0
· MIT-0
53
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install service-catalog
Description
Auto-discover and catalog all services in a codebase or organization — scan Dockerfiles, docker-compose, Kubernetes manifests, package.json, systemd units, P...
Usage Guidance
This skill mostly does what it says: it scans a codebase for service artifacts and builds a catalog. Before installing or running it: (1) be aware it reads many repository files and may surface secrets or private endpoints — run it in a trusted or isolated checkout if you have sensitive data; (2) the SKILL.md uses tools like python3 and rg (ripgrep) but the skill doesn't declare required binaries — ensure those tools are present and consider adding them to a vetted runtime rather than installing unknown packages; (3) the description mentions 'organization' scanning but the commands are local to the workspace — don't expect it to reach into external repos or org-level services unless you explicitly provide those checkouts; (4) review where the skill will write or transmit its output (not specified) and avoid piping results to external endpoints unless you trust them. If you want to proceed, test on a non-sensitive repository and confirm outputs are limited to local files or agent UI before running on production codebases.
Capability Analysis
Type: OpenClaw Skill
Name: service-catalog
Version: 1.0.0
The skill bundle contains multiple shell injection vulnerabilities in the `SKILL.md` file, specifically within the `discover` and `owners` commands where file paths found by `find` are directly interpolated into `python3 -c` command strings. While the tool's functionality for service discovery and dependency mapping is clearly defined and legitimate, these vulnerabilities allow for potential arbitrary code execution if the agent processes a repository containing maliciously named files. Additionally, the tool performs broad searches for sensitive configuration keys like `DATABASE_URL` and `REDIS_URL` and pings local endpoints, which are high-risk behaviors albeit aligned with the stated purpose of infrastructure cataloging.
Capability Assessment
Purpose & Capability
The name and description (auto-discover services in a codebase) align with the SKILL.md commands, which search Dockerfiles, manifests, package.json, etc. However, the description also promises organization-wide discovery while the provided commands only operate on the local workspace; that mismatch could mislead users about what this skill actually does. Also the SKILL.md uses tools (python3, rg/ripgrep, find, xargs, grep) but the skill declares no required binaries—an omission that reduces transparency.
Instruction Scope
Instructions perform broad filesystem and repo scanning (find/grep/rg across many file types), look for environment-variable patterns (DATABASE_URL, REDIS_URL, etc.) and extract URLs and health endpoints. This is consistent with the stated cataloging goal, but it will read arbitrary repository files and may surface secrets, credentials, or private endpoints if present. The SKILL.md does not instruct sending results out-of-band, but it also doesn't constrain output handling or where the generated catalog is stored, so users should be aware of sensitive data exposure risk.
Install Mechanism
Instruction-only skill with no install spec or downloaded code — low install risk. However, it relies on external CLI tools (python3, rg/ripgrep, find, xargs, grep) without declaring them; that is a transparency/documentation gap rather than an installation vector risk.
Credentials
No environment variables, credentials, or config paths are requested. The SKILL.md does search for common environment variable names and config files within the repo (to infer dependencies), which is reasonable for the purpose and proportionate to the stated task.
Persistence & Privilege
always:false and no install-time persistence are used. The skill is user-invocable and can be invoked autonomously by the agent (platform default), which is expected. The skill does not request elevated system-wide modifications or change other skills' configurations.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install service-catalog - After installation, invoke the skill by name or use
/service-catalog - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of service-catalog: auto-discover and catalog all services in your codebase or organization.
- Scan Dockerfiles, docker-compose, Kubernetes manifests, systemd units, Procfiles, and common project files (Node.js, Python, Go) to find services.
- Generate a detailed, living service catalog with names, types, tech stack info, owners, dependencies, health checks, and documentation links.
- Map service-to-service dependencies, detect circular dependencies, single points of failure, and orphaned services.
- Check the health of services using Docker, systemd, and detected health endpoints.
- Report service ownership based on CODEOWNERS and code metadata.
Metadata
Frequently Asked Questions
What is Service Catalog?
Auto-discover and catalog all services in a codebase or organization — scan Dockerfiles, docker-compose, Kubernetes manifests, package.json, systemd units, P... It is an AI Agent Skill for Claude Code / OpenClaw, with 53 downloads so far.
How do I install Service Catalog?
Run "/install service-catalog" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Service Catalog free?
Yes, Service Catalog is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Service Catalog support?
Service Catalog is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Service Catalog?
It is built and maintained by charlie-morrison (@charlie-morrison); the current version is v1.0.0.
More Skills