← Back to Skills Marketplace
78
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install workspace-browser-3
Description
Browse and search workspace files with syntax-highlighted code and AI-generated explanations saved persistently in SQLite.
Usage Guidance
This package implements the described file-browser + AI-explanation functionality, but several mismatches and exposure risks mean you should review and harden it before running:
- Do not run it as-is on a production or host-visible network. By default it binds to 0.0.0.0 and sets CORS: '*', which can expose your workspace if the host is reachable. Change HOST to 127.0.0.1 and remove the wildcard CORS if you only need local access.
- The code expects DEEPSEEK_API_KEY / DEEPSEEK_API_URL (see config.py) but the skill metadata does not declare this. If you provide an API key, be aware the app will make outbound requests to that API. Only configure a key you trust and prefer to use a dedicated service account with limited scope.
- Update WORKSPACE_ROOT to the actual intended directory (or make it configurable via environment variable) — the current hard-coded path (/root/.openclaw/workspace) may expose unexpected files. Verify ALLOWED_PATHS and ensure path validation works for your environment.
- Inspect app.py fully (the provided file was partially truncated in the bundle) to confirm there are no additional hidden network calls, backdoors, or exfiltration to unexpected endpoints.
- The start.sh contains a public IP in an echo message and kills processes via pkill; remove or adjust these lines if they are not appropriate. Run the service in an isolated container or VM first so accidental exposure is limited.
- Ensure the SQLite database (explanations.db) is stored where you expect and that its permissions are appropriate.
If you need to trust this skill: ask the author to (a) declare required environment variables in the registry (DEEPSEEK_API_KEY/DEEPSEEK_API_URL), (b) make WORKSPACE_ROOT configurable via env var, (c) change default HOST to localhost and remove wildcard CORS, and (d) remove or explain the public IP message in start.sh. Until those are addressed, treat the package as suspicious and run only in an isolated environment.
Capability Analysis
Type: OpenClaw Skill
Name: workspace-browser-3
Version: 3.0.0
The skill bundle exhibits several high-risk behaviors and misleading configurations. Most notably, 'start.sh' hardcodes an external IP address (175.178.154.173) as the access URL instead of localhost, which could mislead the agent or user into interacting with a remote server. The Flask application in 'app.py' binds to '0.0.0.0' and uses a wildcard CORS policy ('*'), exposing the local workspace file system to the network. Additionally, the 'app.py' file contains a logical error where the database initialization is placed after a blocking 'app.run' call, rendering the persistence feature non-functional. While the tool provides broad file access and sends code to an external AI API (DeepSeek), these align with its stated purpose, but the misleading IP and insecure network configuration warrant a suspicious classification.
Capability Assessment
Purpose & Capability
The code (app.py + front-end) matches the declared purpose (file browser + AI explanations + SQLite persistence). However the skill metadata/registry claims 'no required env vars' while the code expects a DEEPSEEK_API_KEY/DEEPSEEK_API_URL (in config.py) to call an external AI service — that credential is not declared in requires.env. Also the package was presented as 'instruction-only' but contains many code files, a start script and a requirements file, which is inconsistent.
Instruction Scope
SKILL.md instructs users to run start.sh and points to localhost, but config.py hard-codes WORKSPACE_ROOT = '/root/.openclaw/workspace' (not 'current workspace' as the docs state). start.sh prints an external IP (175.178.154.173) which is inconsistent with the 'localhost' guidance. The server binds to HOST='0.0.0.0' and the app sets CORS '*' — this combination can expose workspace files if the host/network is reachable. The runtime instructions do not mention configuring the required API key or restricting network exposure.
Install Mechanism
There is no formal install spec in the registry, but the bundle includes code files, a requirements.txt and a start.sh that launches the app. The start script runs pkill and starts app.py in the background; it does not download external code. Lack of an install spec despite included code is an inconsistency that increases the chance of unexpected local actions during install/run.
Credentials
The code uses DEEPSEEK_API_KEY and DEEPSEEK_API_URL to call an external AI service, but the skill metadata does not declare any required environment variables. The configured WORKSPACE_ROOT points at /root/.openclaw/workspace which could allow access to any files under that path; ALLOWED_PATHS is also hard-coded to that path. These configuration choices and the missing declaration for the remote API key are disproportionate to the documented installation instructions and increase risk of accidental data exposure or exfiltration.
Persistence & Privilege
The skill persists explanations in a local SQLite database (explanations.db) in the project directory — that is consistent with the described functionality. It does not request 'always: true' or system-wide privileges. However, binding to 0.0.0.0 and enabling CORS '*' increases runtime exposure risk, so run-time network exposure should be limited.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install workspace-browser-3 - After installation, invoke the skill by name or use
/workspace-browser-3 - Provide required inputs per the skill's parameter spec and get structured output
Version History
v3.0.0
Workspace浏览器3.0全新发布,增强文件浏览及AI代码解释体验:
- 全新马卡龙配色文件树,支持展开/收起文件夹
- 代码查看双Tab:源代码与AI自动生成的代码解释(含语法高亮)
- 代码解释持久化存储,支持自动与手动输入,下次直接显示
- 工作区全文搜索,实时展示递归匹配结果
- 支持文件下载、代码复制,并保障移动端自适应体验
- 引入分离的状态管理、SQLite数据库自动创建与存储
Metadata
Frequently Asked Questions
What is Release Package?
Browse and search workspace files with syntax-highlighted code and AI-generated explanations saved persistently in SQLite. It is an AI Agent Skill for Claude Code / OpenClaw, with 78 downloads so far.
How do I install Release Package?
Run "/install workspace-browser-3" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Release Package free?
Yes, Release Package is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Release Package support?
Release Package is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Release Package?
It is built and maintained by coopeter (@coopeter); the current version is v3.0.0.
More Skills