Where are you from

An enterprise-grade asset manager that tracks, manages, and automatically syncs OpenClaw skills capabilities and sources to your GitHub.

What to check before installing / running this skill: - Required tools: The code and README require Node.js (v14+) and Git, but the registry metadata lists no required binaries — install Node and Git first and be prepared to provide Git authentication (SSH key, credential helper, or token) for pushes to work. - Review searchRoots: The default scan roots include ~/.openclaw/skills and ./skills. Edit ~/.openclaw/inventory.json before scanning to avoid exposing folders you don't want to be cataloged or pushed. - Inspect the generated manifest before pushing: The tool masks common key patterns, but automatic masking is not perfect. Run inventory sync locally, open SKILLS_MANIFEST.md/SKILLS_MANIFEST.json, and verify there are no secrets or sensitive contents before running sync --push. - Understand network behavior despite SECURITY.md: The included SECURITY.md incorrectly states "no network requests" — git push will contact remote repositories if you instruct it to push. If you do not want any network activity, avoid running sync --push or do not configure a remote. - Be cautious with autonomous invocation: Because the agent can invoke this skill, an automated agent could run scanning and attempt to push manifests. If you prefer manual control, disable autonomous invocation for this skill or ensure prompts are required and handled by a human. - Sandbox first: Run the tool in a safe test folder (or with a temporary git repo without a remote) to observe its behavior: bootstrap -> status -> sync (without --push) to confirm manifest contents and masking behavior. If you want to proceed, consider setting autoPush:false (default) and explicitly reviewing manifests before any push. If anything in the manifest looks surprising, do not push and investigate the source folders and SKILL.md files the tool discovered.

Type: OpenClaw Skill Name: openclaw-inventory-manager Version: 1.0.1 The skill is an inventory manager that audits OpenClaw skills and synchronizes a manifest to a GitHub repository. It possesses high-risk capabilities including recursive filesystem scanning (utils/scanner.js), execution of Git commands via spawnSync (utils/gitManager.js), and data transmission to external repositories. While these actions are clearly aligned with the stated purpose and the code includes robust security measures—such as a regex-based secret scrubber (utils/securityScrubber.js), automatic .gitignore generation, and user confirmation prompts—the inherent risks of shell execution and network communication for metadata exfiltration meet the threshold for a suspicious classification under the provided criteria.