← Back to Skills Marketplace
113
Downloads
0
Stars
0
Active Installs
4
Versions
Install in OpenClaw
/install rulespec
Description
Define, manage, and compile business rules as structured YAML data into LLM-ready prompts and agent-loadable SKILL.md files. Use when the user wants to creat...
Usage Guidance
This skill appears to do what it says, but exercise caution before running it. Key steps to reduce risk:
- Verify the npm package: find the official rulespec package name, publisher, repository URL, and a release tag/commit. Do not run npx against an unknown package without inspection.
- Prefer a pinned, audited install (add an explicit install spec or vendor the code) rather than 'npx' dynamic fetches.
- Inspect the rulespec code (or its GitHub release) for any file I/O behavior, path handling, and network calls.
- Run first in an isolated environment (container or VM) and with a non-privileged account. Back up your skills/ directory before using emit.
- Avoid running this skill autonomously on an agent with wide filesystem privileges; restrict which paths it can read/write and validate any domain/outdir values to prevent overwrites or path traversal.
- If you need to allow the CLI to read example files, limit inputs to non-sensitive test data and avoid passing system paths (e.g., do not pass /etc, home, or application config files).
If you can obtain the package repository or a signed release, re-run this evaluation with that information — it would raise confidence and likely move the verdict toward benign if the source is legitimate and reviewed.
Capability Analysis
Type: OpenClaw Skill
Name: rulespec
Version: 1.0.7
The skill bundle provides a CLI-based workflow for managing business rules using the `rulespec` package via `npx`. It includes high-risk capabilities such as reading arbitrary files (via the `--input` flag in `add-example`) and writing to arbitrary directories (via the `--outdir` flag in `emit`), which could be exploited for data exfiltration or unauthorized file system modification. While these features are aligned with the stated purpose of rule management and compilation, the lack of path sanitization and the reliance on external code execution via `npx` constitute significant security risks in an agentic context.
Capability Assessment
Purpose & Capability
Name/description align with the CLI-based workflow documented in SKILL.md: defining rules in rulespec.yaml, validating, compiling, and emitting SKILL.md files. There are no unrelated declared env vars or binaries.
Instruction Scope
The SKILL.md instructs callers to run 'npx rulespec' and to supply arbitrary file paths for inputs/outputs and --file. That means the tool will read arbitrary local files (including PDFs/JSON) and write emitted SKILL.md files to a default path (skills/{domain}/SKILL.md). Those behaviors are plausible for a rules management CLI but also allow reading sensitive local files and overwriting skill files if misused. The instructions give broad discretion (file paths, outdir) without describing path validation or safeguards.
Install Mechanism
No formal install spec is provided in the registry, but the SKILL.md explicitly recommends using 'npx rulespec' which will download and run a package from the npm registry at runtime. Relying on npx to fetch remote code each time increases risk (supply-chain or trojaned package). The registry does not include a pinned package name, source URL, checksum, or a vetted install mechanism.
Credentials
The skill declares no required environment variables or credentials (proportionate). However, runtime usage accepts arbitrary file paths and emits files to the local filesystem, which can expose or modify sensitive data even without declared env secrets.
Persistence & Privilege
always:false (good), but the workflow writes generated SKILL.md files to skills/{domain}/SKILL.md (and supports custom outdir). That can overwrite existing skills or other files under the skills directory if domains/outdirs aren't constrained. The skill does not declare safeguards against accidental/hostile overwrites or path traversal.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install rulespec - After installation, invoke the skill by name or use
/rulespec - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.7
- Renamed the examples field from description to note for global examples, updating all related CLI commands (now use --note instead of --description).
- Added a new Programmatic usage section demonstrating how to load and inject rules at runtime via TypeScript.
- No functional logic or CLI changes; documentation and field naming only.
v1.0.6
- Adds rule-specific example management: new CLI commands for adding/removing examples tied to individual rules.
- Expands example input/output support: now accepts inline JSON, JSON file paths, and other file types (e.g., PDFs).
- Clarifies difference between global and rule-specific examples in documentation.
- Improves documentation and onboarding with an added summary, clearer sectioning, and more usage examples.
- No changes to code files in this release; this update is documentation-focused.
v1.0.5
- Expanded skill description to cover more business rule management use cases and trigger phrases.
- Added new CLI commands for editing rules, managing sources and examples, and performing find-and-replace with validation.
- Clarified CLI-driven workflow and allowed manual editing of rulespec.yaml for advanced cases (with validation).
- Detailed command usage examples for each step, including setup, editing, and emission.
- Emphasized principles of safe editing, schema validation, and secure handling of sensitive/example data.
v1.0.4
- Initial release of the rulespec skill for managing business rules as structured data.
- Introduces a CLI for creating, editing, validating, compiling, and emitting business rules and SKILL.md files.
- Enforces a workflow that always uses the CLI to maintain validation and sync between source files and output.
- Supports rule intents (enforce/inform/suggest), sources, and testable examples.
- Outputs SKILL.md files with YAML frontmatter and intent-tagged rules for agent use.
Metadata
Frequently Asked Questions
What is Rule Spec?
Define, manage, and compile business rules as structured YAML data into LLM-ready prompts and agent-loadable SKILL.md files. Use when the user wants to creat... It is an AI Agent Skill for Claude Code / OpenClaw, with 113 downloads so far.
How do I install Rule Spec?
Run "/install rulespec" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Rule Spec free?
Yes, Rule Spec is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Rule Spec support?
Rule Spec is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Rule Spec?
It is built and maintained by Ric (@pallaoro); the current version is v1.0.7.
More Skills