← Back to Skills Marketplace
daihaochen-mv

Secondme Dev Assistant

by Mindverse · GitHub ↗ · v2.1.0 · MIT-0
cross-platform ⚠ suspicious
131
Downloads
0
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install secondme-dev-assistant
Description
Use when user wants to develop on the SecondMe platform (second.me, develop.second.me). Triggers: building SecondMe third-party apps (第三方应用/外部应用), SecondMe O...
Usage Guidance
Things to consider before installing or enabling this skill: - It will read and write files under your home directory (~/.secondme) including storing OAuth client secrets and developer tokens; if you do not want secrets written to disk, do not allow the assistant to create or persist them. - On first use (once per conversation) it runs a pre-flight shell snippet that uses npx to check for and optionally update a 'second-me-skills' package. That can download and run code from the network even though the skill has no install spec — only enable this if you trust that update behavior. - The skill assumes availability of npx, python3, openssl and other shell tools but the registry metadata does not list these as required binaries; ensure your environment meets these prerequisites or the script may fail. - The assistant may scan repository files (README, package.json, env files, auth files) to infer integration details — be cautious if those files contain secrets for other services. - Telemetry is configurable: the skill will prompt and can store a stable device id for 'community' mode; read the prompt carefully and choose 'off' or 'anonymous' if you prefer not to create persistent identifiers. - If you proceed, consider: (1) backing up or auditing ~/.secondme before use, (2) choosing manual app creation if you want to avoid automatic secret storage, and (3) restricting network access or reviewing any downloaded updates from npx before execution. If you want, I can list the exact files and network endpoints the skill will access and give step-by-step mitigations (e.g., how to run the flows manually) before you enable it.
Capability Analysis
Type: OpenClaw Skill Name: secondme-dev-assistant Version: 2.1.0 The skill 'secondme-dev-assistant' contains instructions in SKILL.md to silently execute a 'Pre-flight Check' shell script that performs auto-updates via 'npx skills update' and logs telemetry to ~/.secondme. It also manages sensitive OAuth credentials and platform tokens, storing them in local files (~/.secondme/client_secret, ~/.secondme/dev_credentials). While these features are aligned with its stated purpose as a developer assistant for the SecondMe platform (api.mindverse.com, app.mindos.com), the silent execution of update scripts and the handling of session/device identifiers represent significant security risks, including a potential supply chain vector and unauthorized background activity.
Capability Assessment
Purpose & Capability
The declared purpose (developer assistant for SecondMe) aligns with most instructions: creating apps, managing credentials, MCP/integration guidance, scanning repos, and calling SecondMe APIs. However, the skill's metadata declares no required binaries or install steps while the instructions expect and use tools (npx, python3, openssl, shell utilities) and network access — that mismatch is unexplained in the registry metadata and is surprising.
Instruction Scope
Runtime instructions include: reading and writing files under ~/.secondme (client_secret, dev_credentials, analytics), scanning repository files (including env or auth files), creating references/api-reference.md by fetching remote docs, and an early pre-flight update check that runs npx. They also instruct automatically creating apps via platform APIs and saving returned client secrets to disk. These behaviors go beyond pure conversational help and involve local file I/O, secret persistence, and optional network fetches; the skill claims some safeguards (e.g., 'never print raw secret') but also indicates it will save secrets without the user manually doing so. The skill will prompt for telemetry and may write telemetry state and a stable device id locally.
Install Mechanism
The skill has no declared install spec, but the pre-flight check runs 'npx skills check' and may run 'npx skills update mindverse/second-me-skills -y' which can download and execute code from the network at runtime. That effectively implements an implicit install/update mechanism outside the registry install metadata. Running npx to fetch/update packages is higher-risk than an instruction-only skill and should be explicitly declared; the code also assumes availability of npx and will call it without listing it as a required binary.
Credentials
The skill declares no required environment variables, which is reasonable for a generic dev assistant, but its instructions read/write local credential files (~/.secondme/client_secret and ~/.secondme/dev_credentials), scan repo files (including env and auth files), and recommend persisting OAuth client secrets and tokens. Reading repository env or auth files can expose unrelated secrets. The telemetry flow writes analytics locally and can create a stable device id; while telemetry is local-first per the docs, the presence of any telemetry and the stable device id should be considered sensitive. The skill accesses/creates secrets but the registry did not list these persistence/config paths in 'required config paths', creating an incoherence.
Persistence & Privilege
The skill does not request 'always: true' and cannot force-enable itself globally, which is good. However, it does request persistent local state by creating ~/.secondme files (config, client_secret, dev_credentials, analytics, .device-id) and may create/modify repository files (references/api-reference.md). Persisting client secrets and tokens to disk is within the expected behavior of a developer assistant, but users should understand the exact files written and their permissions are recommended only (the skill suggests chmod-like permissions but will write the files regardless).
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install secondme-dev-assistant
  3. After installation, invoke the skill by name or use /secondme-dev-assistant
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.1.0
Version 2.1.0 – Major update with feedback consent, open API docs, and expanded dev workflow - Added telemetry/feedback prompt flow at session start for new users; see references/feedback-prompt.md - Introduced open API references (Agent Memory, Act stream): references/open-apis.md - Updated pre-flight check logic with explicit telemetry toggle, session logging, and consent reminder - Expanded skill triggers and clarified intended audience: for developer/platform integration only, not general SecondMe usage - Updated internal references and workflow documentation to match new flow and features
v0.1.0
SecondMe Dev Assistant 2.0 — Initial Release - Unified skill for managing the entire lifecycle of SecondMe third-party app and integration development. - Covers app bootstrap, credential management, requirements definition, scaffolding, guidance on OAuth/MCP, and review submission. - Supports direct control-plane operations on SecondMe Develop, including app/integration CRUD, validation, and release. - Triggers on key developer intents such as "create SecondMe app," "OAuth," "integration," or participation in a hackathon. - Implements a silent, automatic update check on first use per conversation. - Enforces precise, secure, and transparent guidance; never produces raw secrets or performs unsafe actions.
Metadata
Slug secondme-dev-assistant
Version 2.1.0
License MIT-0
All-time Installs 1
Active Installs 1
Total Versions 2
Frequently Asked Questions

What is Secondme Dev Assistant?

Use when user wants to develop on the SecondMe platform (second.me, develop.second.me). Triggers: building SecondMe third-party apps (第三方应用/外部应用), SecondMe O... It is an AI Agent Skill for Claude Code / OpenClaw, with 131 downloads so far.

How do I install Secondme Dev Assistant?

Run "/install secondme-dev-assistant" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Secondme Dev Assistant free?

Yes, Secondme Dev Assistant is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Secondme Dev Assistant support?

Secondme Dev Assistant is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Secondme Dev Assistant?

It is built and maintained by Mindverse (@daihaochen-mv); the current version is v2.1.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments