← Back to Skills Marketplace
184
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install skill-index
Description
Multi-platform skill ranking and discovery system with 25,000+ skills. Supports Tencent SkillHub, Xfyun SkillHub, and local skills. Use when the user asks ab...
Usage Guidance
This skill mostly implements a legitimate ranking/discovery tool, but there are red flags you should address before trusting it:
- Investigate the Tencent API URL (https://lightmake.site/api/skills). Confirm the maintainer and prefer an official endpoint (skillhub.tencent.com or your own trusted registry). Do not rely on an unfamiliar third‑party host unless you trust it.
- The tool will read GITHUB_TOKEN from your environment and can write that token into ~/.openclaw/skill-rank/config.json. Only provide a GitHub token with the minimal scopes needed, or run without a token; consider running the first update in an isolated environment (container/VM) to observe behavior.
- Review the code (scripts/*.py) yourself or run it in a sandbox to see which endpoints it contacts during --update. Look for unexpected outbound hosts beyond the declared sources (xfyun, Tencent, GitHub, raw.githubusercontent).
- If you plan to install/run this skill for real users, replace the default tencent_api_url with an authoritative source and remove or explicitly document any third‑party proxies.
- If you need higher assurance, ask the publisher for a homepage, maintainership information, and an explanation for the lightmake.site endpoint; absence of provenance lowers trust.
If you want, I can point to the exact lines that set the suspicious endpoint and where the GITHUB_TOKEN is read, or produce a diff that hardcodes trusted endpoints before you run it.
Capability Analysis
Type: OpenClaw Skill
Name: skill-index
Version: 1.0.0
The skill bundle provides a meta-utility for ranking and installing other skills, which necessitates high-risk capabilities including network access to external APIs (lightmake.site and xfyun.cn) and shell execution via subprocess. While these functions are clearly aligned with the stated purpose in SKILL.md and scripts/skill-rank.py, the ability to trigger software installations and execute system-level CLI tools (skillhub/clawhub) represents a significant privilege level. No evidence of intentional malice, data exfiltration, or command injection vulnerabilities was found, as the script correctly uses list-based arguments for subprocess calls to prevent shell injection.
Capability Assessment
Purpose & Capability
Name/description match the code: the scripts implement multi-source ranking (Tencent, Xfyun, local). However the default Tencent API URL in the code/config is set to https://lightmake.site/api/skills (a third‑party domain) instead of an official Tencent endpoint; that mismatch is unexplained and disproportionate to the stated purpose.
Instruction Scope
Runtime instructions and scripts read and write data under ~/.openclaw/skill-rank (DB, cache, config) and perform network fetches from configured endpoints. The code also references an environment variable GITHUB_TOKEN for authenticated GitHub API use, but the skill metadata declared no required env vars — SKILL.md mentions a token recommendation but the runtime reads the env var directly. These actions (local file I/O plus network calls to external endpoints) are within the broad scope but include undeclared sensitive inputs and an unexplained external API host.
Install Mechanism
No install spec; the bundle is instruction/code-only and uses only Python standard library modules. There are no downloads, archive extraction, or external installers in the provided files.
Credentials
The code accesses GITHUB_TOKEN from the environment and stores configuration (which may include tokens) under ~/.openclaw/skill-rank/config.json. The skill did not declare required env vars in the manifest. Additionally, the default Tencent API endpoint points at a third‑party domain (lightmake.site) which could be used to collect query patterns or metadata — accepting that endpoint by default increases exposure of queries/skill names.
Persistence & Privilege
The skill persists a local SQLite DB and config under ~/.openclaw/skill-rank and suggests cron integration for periodic updates. It does not request always:true or modify other skills' configs, but it will store data (including any tokens you add) on disk — normal for this class of tool but something to be aware of.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install skill-index - After installation, invoke the skill by name or use
/skill-index - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of skill-finder: a multi-platform skill ranking and discovery system supporting 25,000+ skills.
- Integrates Tencent SkillHub, Xfyun SkillHub, and local skills with real-time data.
- Provides commands to list, search, view details, and install skills via CLI.
- Ranks skills using a popularity algorithm based on downloads and community stars.
- Offers real-time installation guidance, dry-run previews, and robust error handling.
- No external dependencies required; uses only Python standard library modules.
Metadata
Frequently Asked Questions
What is 技能检索?
Multi-platform skill ranking and discovery system with 25,000+ skills. Supports Tencent SkillHub, Xfyun SkillHub, and local skills. Use when the user asks ab... It is an AI Agent Skill for Claude Code / OpenClaw, with 184 downloads so far.
How do I install 技能检索?
Run "/install skill-index" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is 技能检索 free?
Yes, 技能检索 is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does 技能检索 support?
技能检索 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created 技能检索?
It is built and maintained by runze123 (@runze123); the current version is v1.0.0.
More Skills