← Back to Skills Marketplace
85
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install skill-onboarder
Description
Auto-wires new skills into core system. On skill install detected, reads SKILL.md/AGENT.md/SOUL.md/hooks and injects into soul/memory/agent files.
Usage Guidance
This skill does what it says — it auto-wires other skills — but it gains high-impact, persistent ability to change core agent/soul configuration. Before installing: 1) Prefer not to enable always:true; require manual confirmation for onboarding actions. 2) Restrict this skill to administrators and run it in a sandbox first. 3) Audit its templates and the exact write paths it will modify; ensure the platform logs and file-change audit are enabled. 4) Require that incoming skills be validated (only trusted sources) before the onboarder processes them, because a malicious skill could craft SKILL.md/AGENT.md/hooks to create persistent triggers, hard rules, or pre-response hooks that alter behavior or exfiltrate data. 5) If you must use it, remove or disable 'Always Fires' / HARD-rule auto-enabling by default and require explicit user consent per injected rule.
Capability Analysis
Type: OpenClaw Skill
Name: skill-onboarder
Version: 1.1.0
The skill-onboarder is designed to automate the integration of other skills by reading their configuration files and injecting instructions directly into core system files such as 'soul/master.md' and 'agent/skills-active.md'. While the stated purpose is administrative automation, the ability to modify the agent's core logic and rules based on external, potentially untrusted skill files represents a significant security risk for prompt injection and persistence. It lacks explicit validation or sanitization of the content being injected, effectively acting as a mechanism for privilege escalation within the OpenClaw environment.
Capability Assessment
Purpose & Capability
The name/description (auto-wire new skills) align with the instructions: reading SKILL.md/AGENT.md/SOUL.md/hooks and writing into soul/master.md, agent/skills-active.md, and workspace/_index.md. That functionality is coherent with an onboarder. However, the skill claims no required config paths or elevated privileges while its runtime instructions explicitly perform writes to core agent/soul/workspace paths (a mismatch worth noting).
Instruction Scope
The SKILL.md and templates will cause the agent to: scan each new skill's files, derive triggers and rules, and inject entries that can mark other skills as 'Always Fires', add HARD enforcement rules (which can block responses until satisfied), and add keyword triggers to scan every input. Those operations change runtime behavior platform-wide and give the onboarder the ability to create persistent triggers and enforcement rules from arbitrary skill metadata; this is broad scope and high-impact.
Install Mechanism
No install spec and no code files beyond markdown/templates — the skill is instruction-only, so there is no arbitrary binary download or archive extraction. Installation risk from downloaded code is low.
Credentials
The skill declares no required env vars or config paths, yet the instructions write to core files and create paths (soul/master.md, agent/skills-active.md, workspace/_index.md). The metadata omits the fact that the skill expects write access to these central files. That mismatch reduces transparency and is disproportionate to the lack of declared privileges.
Persistence & Privilege
Flagged 'always: true', meaning it will be force-included in every agent run. Combined with its ability to inject 'always fires' markers and HARD rules into agent config, this creates a persistent, high-privilege configuration pathway that could be abused to escalate influence or ensure malicious rules persist across runs. (Autonomous invocation itself is normal, but always:true is a significant privilege.)
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install skill-onboarder - After installation, invoke the skill by name or use
/skill-onboarder - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
better tiggers
v1.0.0
Initial release: one-time skill installer — reads new skill files, injects into soul/agent/memory/workspace index, creates missing paths, idempotent
Metadata
Frequently Asked Questions
What is Skill Onboarder?
Auto-wires new skills into core system. On skill install detected, reads SKILL.md/AGENT.md/SOUL.md/hooks and injects into soul/memory/agent files. It is an AI Agent Skill for Claude Code / OpenClaw, with 85 downloads so far.
How do I install Skill Onboarder?
Run "/install skill-onboarder" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Skill Onboarder free?
Yes, Skill Onboarder is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Skill Onboarder support?
Skill Onboarder is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Skill Onboarder?
It is built and maintained by cyber-bye (@cyber-bye); the current version is v1.1.0.
More Skills