← Back to Skills Marketplace
skillnet
by
Icarus_Chen
· GitHub ↗
· v2.0.3
· MIT-0
1148
Downloads
10
Stars
3
Active Installs
11
Versions
Install in OpenClaw
/install skillnet
Description
Search, download, create, evaluate, and analyze reusable agent skills via SkillNet — the open skill supply chain for AI agents. Use when: (1) Before any mult...
Usage Guidance
This skill appears to implement what it says, but proceed cautiously:
- Verify the 'skillnet-ai' package before installing: check its PyPI page and source repository to confirm the maintainer and review the code. Installing arbitrary PyPI packages can execute code on your machine.
- Confirm the API host(s) you'll interact with: the documentation lists api-skillnet.openkg.cn as the public search API and lets you set BASE_URL for your LLM endpoint. If you will send skill or document content to an LLM, prefer a local BASE_URL (e.g., a local vLLM) for sensitive data.
- Do not provide long‑lived or highly privileged credentials without understanding scope. API_KEY is required for create/evaluate/analyze; the SKILL.md instructs one‑shot injection but double‑check you’re not exporting keys to persistent files.
- Be cautious about using any 'mirror' option for GitHub downloads — a mirror could route content through an untrusted server. Prefer direct GitHub API downloads and review files locally before loading them into the agent context.
- There is a small metadata inconsistency: the registry lists no required env vars while the skill requires API_KEY; confirm this before running commands that prompt for keys.
- Inspect the included scripts (scripts/skillnet_create.py and skillnet_validate.py) — they appear benign and offline, but the actual network behavior depends on the 'skillnet-ai' package which the scripts import. Only run commands after you’ve reviewed the package and confirmed you trust the endpoints.
If you are comfortable verifying the package origin and using one‑time API key injection (or a local LLM), the skill is reasonable. If you cannot verify the upstream package or you must handle sensitive documents, decline to install or use a local BASE_URL and review all generated files before executing anything.
Capability Analysis
Type: OpenClaw Skill
Name: skillnet
Version: 2.0.3
The skillnet bundle provides a comprehensive framework for managing AI agent skills, including searching, downloading, and creating new skills. The bundle demonstrates a strong security posture by including explicit guardrails in SKILL.md and security-privacy.md that instruct the agent to treat all downloaded content as untrusted, require user confirmation for sensitive actions, and avoid executing third-party scripts automatically. The provided Python scripts (skillnet_create.py and skillnet_validate.py) are transparent wrappers for the skillnet-ai library and do not contain any evidence of malicious intent, data exfiltration, or unauthorized credential usage. All network communication is directed to legitimate services such as GitHub or the user's specified LLM endpoint.
Capability Assessment
Purpose & Capability
Name, description, CLI patterns, and included scripts align: the skill is for searching/downloading/creating/evaluating skills and the code and docs implement that. Requiring an API_KEY as the primary credential is appropriate for create/evaluate/analyze operations. The included Python scripts and CLI install suggestions are proportional to the declared functionality.
Instruction Scope
SKILL.md instructs the agent to search (no key), download only GitHub repos, require explicit user confirmation before downloading/loading/executing, and to never auto-run downloaded scripts — these are good restrictions. It writes artifacts to ~/.openclaw/workspace/skills and instructs what to show users for review. No instructions attempt to read unrelated system secrets or auto-exfiltrate data. Note: SKILL.md references openclaw.json and other local config locations as possible configured credentials (documented transparency), so you should verify what local config it may read in your environment.
Install Mechanism
The registry shows 'no install spec' but the SKILL.md frontmatter contains install commands recommending 'pipx install skillnet-ai' or 'pip install skillnet-ai'. Installing a third‑party package from PyPI is a typical but higher‑risk install path because the package source and contents must be verified. Additionally, the client supports an optional 'mirror' (e.g. ghfast.top) for downloads — using a non-official mirror could redirect downloads through an untrusted host. No direct binary downloads or extract-from-URL patterns are present in the skill files, which reduces risk, but you should verify the 'skillnet-ai' package origin on PyPI/GitHub before running installs.
Credentials
The primary credential declared is API_KEY and the docs consistently require API_KEY for create/evaluate/analyze; that is proportional. However, registry metadata lists 'Required env vars: none' while frontmatter and code clearly expect an API_KEY (primaryEnv). This metadata mismatch is confusing and should be resolved before installing. Optional env vars (BASE_URL, GITHUB_TOKEN, SKILLNET_MODEL, GITHUB_MIRROR) are reasonable for the described features but are privileges you should consider carefully (particularly BASE_URL and GITHUB_TOKEN for private repo access).
Persistence & Privilege
The skill does not request 'always: true' and does not claim persistent background processes. It writes created/downloaded skills to a local workspace path (~/.openclaw/workspace/skills), which is expected. It does not attempt to modify other skills or system-wide settings in the included files.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install skillnet - After installation, invoke the skill by name or use
/skillnet - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.0.3
Skillnet 2.0.3 — No functional changes
- No file changes detected in this version.
- Documentation, functionality, and installation remain identical to the previous release.
v2.0.2
No user-facing changes in this release; documentation and interface remain the same.
v2.0.1
No visible file changes detected; this is a metadata/bump release.
- Version bumped to 2.0.1.
- No changes to core SKILL.md content or implementation files.
- All processes, descriptions, and installation steps remain unchanged.
v2.0.0
Skillnet 2.0.0 — Major Structural and Security Updates
- Reorganized scripts: added skillnet_create.py and skillnet_validate.py, removed older script and setup files for improved maintainability.
- Introduced references/security-privacy.md to document security and privacy practices.
- Clarified usage: updated guidance on when to search, create, and apply skills, and emphasized security for downloaded scripts.
- Refined metadata and streamlined task triggers in SKILL.md for easier integration and clearer logic.
- Enforced GitHub-only download restriction and outlined strict user consent before executing any downloaded code.
v1.0.6
Hardened inherent capability risks flagged by OpenClaw safety review: added download source restrictions, precise data flow transparency, sensitive data warnings, third-party skill isolation policies, and prompt injection defenses — while preserving all original functionality.
v1.0.5
Added explicit user confirmation gates for all security-sensitive operations (download, load, create, evaluate, analyze, script execution) and a centralized User Confirmation Policy, replacing previous auto-execute directives that triggered a "Suspicious" rating in OpenClaw safety review. Credential handling changed from "silent if configured" to a transparent model that always informs the user which credentials and endpoints are in use.
v1.0.4
Version 1.0.4
v1.0.3
- Updated all default local skill library paths from `~/.openclaw/workspace/skills` to `~/.openclaw/skills` in documentation and examples.
- Adjusted deduplication and outdated skill removal instructions.
- Minor corrections and clarification to step descriptions and code examples in SKILL.md and reference files.
- No breaking changes to functionality or requirements.
v1.0.2
Improved security compliance and credential handling.
v1.0.1
Install & security hardening: removed curl|sh/remote scripts, --break-system-packages, PEP 668 workarounds, and uv auto‑installs; install is now pipx→pip only (user‑level); docs add direct skill‑subdir URLs and Data & Privacy whitelists.
v1.0.0
Initial release: search/download/create/evaluate/analyze skill pipeline
Metadata
Frequently Asked Questions
What is skillnet?
Search, download, create, evaluate, and analyze reusable agent skills via SkillNet — the open skill supply chain for AI agents. Use when: (1) Before any mult... It is an AI Agent Skill for Claude Code / OpenClaw, with 1148 downloads so far.
How do I install skillnet?
Run "/install skillnet" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is skillnet free?
Yes, skillnet is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does skillnet support?
skillnet is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created skillnet?
It is built and maintained by Icarus_Chen (@icarus-chen); the current version is v2.0.3.
More Skills