← Back to Skills Marketplace

Skill Pilot

Name: Skill Pilot
Author: namechenxinyu

by Mr-ChenXY · GitHub ↗ · v0.4.6 · MIT-0

cross-platform ⚠ suspicious

313

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install skill-pilot

Description

Adaptive skill scheduling engine with environment-aware routing, user preferences, and self-learning optimization. Use when: (1) auto-select best skill for t...

Usage Guidance

What to consider before installing: - Trust boundary: SkillPilot loads/imports other skill modules (via importlib) and executes skill scripts. Imported Python modules run in-process (they can execute arbitrary code), and subprocesses inherit the full environment by default. Only install SkillPilot if you trust the other skills present in your workspace. - Secrets exposure: Although SKILL.md states it does not exfiltrate secrets, the engine inherits environment variables and passes them to child processes. If you have high-value credentials in your environment (AWS keys, Cloud tokens, SSH keys, OPENCLAW_TOKEN, etc.), consider removing them or running SkillPilot in an isolated environment (container/VM) or using a minimal set of env vars. - Audit before use: Review the skill-pilot code paths that import and execute other skills (engine._load_skill, SkillExecutor/OpenClawCaller) and confirm input validation is active in your shipped version. The repository documents fixes for past shell-injection issues — verify those fixes are present in the actual code you will run. - Limit network surface: The skill performs active network probes (DNS, TCP connects, port scans). If you are in a sensitive environment, run it in a restricted network or review/disable probing. - Least privilege: Prefer running SkillPilot in a sandbox (Docker, VM) and avoid running it with elevated OS permissions. Remove or scope sensitive env vars before running, and periodically review the ~/.openclaw/workspace/skills/skill-pilot/ history/config files for unexpected activity. If you want, I can point to the exact code lines that import other skills and that pass os.environ to subprocesses so you (or an auditor) can inspect them further.

Capability Analysis

Type: OpenClaw Skill Name: skill-pilot Version: 0.4.6 SkillPilot is a sophisticated meta-scheduling framework designed to optimize the selection and execution of other OpenClaw skills. While it performs high-risk actions such as network probing (DNS/latency checks in `environment.py`), reading other skill configurations in the workspace (`registry.py`), and executing local scripts (`engine.py`), these behaviors are transparently documented and strictly aligned with its stated purpose of environment-aware routing. The codebase demonstrates security maturity by including an input validator (`_validate_args`) to prevent shell injection, utilizing list-based subprocess calls instead of `shell=True`, and providing detailed security audit documentation (`SECURITY_FIX.md`, `SECURITY_DECLARATION.md`).

Capability Assessment

ℹ Purpose & Capability

Name/description (adaptive skill scheduler) align with code: it discovers, ranks, and invokes other skills and records history. The claimed 'zero-intrusion' marketing is overstated: the skill reads other skills under ~/.openclaw/workspace/skills/ and executes them (via importlib or subprocess), which necessarily accesses other skills' files and runs their code. That is functionally necessary but should be considered intrusive relative to the marketing language.

⚠ Instruction Scope

SKILL.md and code instruct reading the workspace skills directory, saving history/config under ~/.openclaw/workspace/skills/skill-pilot/, probing network (DNS/latency/ports), importing other skills' Python modules, and executing external skill scripts. Importing other skills with importlib executes their code in-process; executing scripts launches child processes. These actions are coherent with a router but expand runtime scope (code execution, network probes) and create a trust boundary that isn't fully constrained by the manifest.

✓ Install Mechanism

No install spec; this is an instruction-and-code skill that runs from the workspace. That is low-risk from an automatic-install perspective (nothing is downloaded/extracted at install time).

⚠ Credentials

SKILL.md lists only a few optional env vars, but the code uses os.environ.copy() and inherits the full process environment for child processes. Passing the full environment to child skills is functionally convenient (so child skills can use their API keys), but it means any high-value secrets present in your environment could be available to invoked child processes. The skill asserts it "Does NOT exfiltrate secrets," but it cannot enforce what third-party child skills do with inherited env vars or what imported modules execute in-process.

✓ Persistence & Privilege

The skill does not request always:true, does not modify other skills' files in its stated behavior, and confines writes to ~/.openclaw/workspace/skills/skill-pilot/. Recording history/config and updating default-tool settings are expected for a scheduler. This persistence level is proportional to its purpose.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install skill-pilot
After installation, invoke the skill by name or use /skill-pilot
Provide required inputs per the skill's parameter spec and get structured output

Version History

v0.4.6

Skill-pilot v0.4.6 - Added SECURITY_DECLARATION.md to document security practices and behaviors. - Declared required and optional environment variables in SKILL.md, clarifying integration and API dependencies. - Updated security notes: details on file access, network probing, child process execution, and data handling. - Internal config and script updates for improved environment and mode management. - Added package.json for dependency management.

v0.4.5

No file or documentation changes detected in this version. - Version updated to 0.4.5 with no other changes.

v0.4.4

Version 0.4.4 is a streamlined release with security improvements and a focus on core scheduling features. - Reworked codebase to a pure scheduler; removed non-essential guides, reports, and test scripts. - Added SECURITY_FIX.md to document security improvements. - Introduced CHANGELOG.md for clearer version tracking. - Updated SKILL.md for new version, improved documentation, and removed outdated information. - Refined config and engine scripts to reflect recent architecture and mode changes.

v0.4.3

技能调用优化：新增三种调用方式 (Python 模块/脚本执行/OpenClaw 通道)，修复 multi-search-engine 和 exa-web-search-free 调用失败问题，全量模式现在可以正常调用所有搜索技能

v0.4.2

安全加固 v0.4.2: 限制文件访问范围，防止凭证暴露，通过 ClawHub 安全扫描

v0.3.16

- Updated version metadata in SKILL.md from 0.0.0 to 0.3.15 and removed placeholder comment about auto-generation. - No other changes beyond version information and related metadata. Core features, usage instructions, and documentation remain unchanged.

v0.3.15

- Added explicit security metadata to SKILL.md, clarifying shell execution, network, input validation, and sandbox recommendations. - Updated runtime and dependency requirements in SKILL.md for greater precision (Python 3.8+, Node.js as optional). - Clarified filesystem access sections, adding "read-only" annotations and enhancing privilege transparency. - Expanded security and operational guidance, emphasizing no credential storage and best practices for safe usage.

v0.3.14

- Minor script update in `scripts/smart-publish.sh`. - No user-facing changes or documentation updates.

v0.3.13

- Added scripts/smart-publish.sh for automated publishing tasks. - Updated SKILL.md to use a placeholder version (0.0.0) and note that the actual version is managed by ClawHub. - No functional or logic changes to the skill itself; documentation and workflow improvements only.

v0.3.12

- Added explicit runtime requirements (`python3`, optional `node`) in the manifest. - Declared required read/write filesystem access paths for skill discovery, user preferences, and execution logs. - Improved installation instructions with runtime and security guidance. - No changes to functionality; documentation and manifest metadata only.

v0.3.11

- Added SECURITY_USAGE.md for expanded or clarified security usage documentation. - Updated SECURITY_RESPONSE.md and SKILL.md content. - Removed run_iran_search.py and run_search.py utility scripts. - Documentation and metadata streamlined; no functional logic changes to core modules.

v0.3.10

skill-pilot v0.3.10 - Updated SKILL.md: incremented version from v0.4.1 to v0.4.2 in frontmatter. - No functional or code changes; documentation version only. - RELEASE.md may have related release notes.

v0.3.9

**SkillPilot v0.3.9 Changelog** - Added SECURITY.md and SECURITY_RESPONSE.md for improved security practices and response documentation. - Introduced config/search-skills-config.md for search skills configuration customization. - Updated documentation in SKILL.md and USAGE_GUIDE.md to clarify new features, permissions, and setup guidance. - Enhanced code and test scripts (scripts/test.py) for coverage and robustness.

v0.3.8

- Updated skill version to 0.4.1 in SKILL.md metadata. - No functional or documentation changes; version metadata only.

v0.3.7

Skill-pilot v0.3.7 → v0.4.0 - Version bump from 0.3.5 to 0.4.0 in skill definition. - RELEASE.md and SKILL.md updated for new release. - Internal scripts (e.g., engine.py) modified; see commit for details. - Documentation refreshed for feature parity with current codebase.

v0.3.6

Skill-pilot v0.3.6 introduces a new modular strategy system and configuration improvements. - Added generic YAML strategy templates for automation, code, fetch, search, summarize, and translation. - Introduced scripts/discovery.py to assist with discovering strategy/application patterns. - Added a universal design guideline (UNIVERSAL_DESIGN.md) and a user-config template YAML. - Updated engine and documentation to reflect new configuration patterns and usability. - Existing documentation (SKILL.md, RELEASE.md) updated for consistency and new features.

v0.3.5

- Bump version to 0.3.4 in SKILL.md for upcoming release. - No functional or feature changes in this update; documentation and version metadata only.

v0.3.4

- Added new strategy templates: automation, file management, git operations, security audit, summarization, and translation. - Expanded strategies documentation (new README). - No changes to core logic or existing documentation in SKILL.md.

v0.3.3

# skill-pilot v0.3.3 - Updated version references in documentation to v0.3.3 - No feature, logic, or interface changes (documentation only update)

v0.3.2

SkillPilot v0.3.2 – 内容质量优先评估与文档更新 - 新增“内容质量优先”评估（完整性、合理性、准确性），优化调度决策标准 - 文档同步加入内容质量评估原则，简化条目并补充版本号 - 保持“双模式”执行架构，完善使用案例和配置说明 - 对“历史学习”和“可观测性”相关脚本做细节改进与补充示例

Metadata

Slug skill-pilot

Version 0.4.6

License MIT-0

All-time Installs 1

Active Installs 1

Total Versions 22

Frequently Asked Questions

What is Skill Pilot?

Adaptive skill scheduling engine with environment-aware routing, user preferences, and self-learning optimization. Use when: (1) auto-select best skill for t... It is an AI Agent Skill for Claude Code / OpenClaw, with 313 downloads so far.

How do I install Skill Pilot?

Run "/install skill-pilot" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Skill Pilot free?

Yes, Skill Pilot is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Skill Pilot support?

Skill Pilot is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Skill Pilot?

It is built and maintained by Mr-ChenXY (@namechenxinyu); the current version is v0.4.6.

More Skills