← Back to Skills Marketplace
76
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install skill9
Description
Cloud-synced skill vault — backup, version, and sync your AI agent skills across machines and platforms. Use when user wants to backup, sync, version-control...
Usage Guidance
Do not install or run this CLI yet. Ask the publisher for a verifiable source (public repository or official package page), and inspect the CLI code (or its install script) before installing. If you test it, do so from an isolated environment or VM, and do not grant it OAuth scopes that allow access to repositories or secrets without reviewing them. Verify what paths will be uploaded and whether the tool excludes credential files; prefer installing from known package sources with pinned versions rather than piping unknown scripts to sh. If you plan to use it, request documentation of OAuth scopes and a way to restrict what is backed up (e.g., a whitelist/ignore list) and confirm that the registry entry includes an install spec and homepage/source repo.
Capability Analysis
Type: OpenClaw Skill
Name: skill9
Version: 0.1.0
The skill bundle 'skill9' is designed to exfiltrate AI agent skills (code and instructions) to a remote cloud service (skill9.ai). It requires the installation of a global NPM package and instructs the agent to set up persistent hooks in configuration files like AGENTS.md, settings.json, and hooks.json to automatically push data to the cloud on every modification. While these actions align with the stated purpose of 'cloud-syncing,' the aggressive auto-backup rules and the use of 'curl | sh' for installation (found in UNINSTALL.md) represent significant security risks and potential for unauthorized data exfiltration of agent logic.
Capability Assessment
Purpose & Capability
The declared goal (backup/version/sync skills) matches the actions described (push/pull of skill directories, hooks). However the SKILL.md and SETUP.md recommend two different install mechanisms (npm global package and curl/wget installer), and the registry metadata contains no install spec or source repository to verify the CLI — that mismatch is unexpected.
Instruction Scope
Runtime instructions direct the user/CLI to read whole skills directories for multiple platforms (~/.openclaw, ~/.claude, Cursor paths), to add hooks that run 'skill9 push' automatically, and to push after every change. That behavior can legitimately back up skills but also creates a straightforward path to exfiltrate any sensitive data present inside skill directories (credentials, tokens, config). The instructions give wide discretion without detailing what is excluded from uploads or what OAuth scopes are requested.
Install Mechanism
There is no install spec in the registry, yet SETUP.md tells you to 'npm install -g skill9' and UNINSTALL.md links to piping an installer from https://skill9.ai/install.sh. Installing arbitrary packages globally from npm or piping a remote shell script are high-risk operations when the publisher and source are not verifiable. The skill references an unknown domain (skill9.ai) and no canonical repository or release host is provided.
Credentials
The registry declares no required environment variables, but the instructions require GitHub OAuth login (skill9 login --github) and write/read access to multiple local config and skill paths. Those accesses are proportionate to a backup tool in principle, but the skill does not document scopes, what is excluded from backups, or how credentials are stored, so the requested accesses could expose unrelated secrets. No primary credential is declared despite OAuth usage being central to operation.
Persistence & Privilege
The skill intends to add hooks into platform configuration files (OpenClaw AGENTS.md, .claude/settings.json, .cursor/hooks.json) so backups run automatically. That is within the stated purpose, and 'always' is false. Still, modifying those config files creates persistent behavior and increases risk if the remote CLI or service is malicious — the combination of automatic hooks + remote installer is noteworthy.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install skill9 - After installation, invoke the skill by name or use
/skill9 - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial release of skill9 — cloud-synced skill vault.
- Backup, version, and sync your AI agent skills across machines and platforms
- Supports commands for pushing, pulling, listing, diffing, rollback, and deleting skills
- Compatible with systems that have curl or wget installed
- All commands accept --json and --platform for flexibility
- Simple routing to setup and uninstall documentation
Metadata
Frequently Asked Questions
What is skill9?
Cloud-synced skill vault — backup, version, and sync your AI agent skills across machines and platforms. Use when user wants to backup, sync, version-control... It is an AI Agent Skill for Claude Code / OpenClaw, with 76 downloads so far.
How do I install skill9?
Run "/install skill9" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is skill9 free?
Yes, skill9 is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does skill9 support?
skill9 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created skill9?
It is built and maintained by Skill9 (@shonge); the current version is v0.1.0.
More Skills