← Back to Skills Marketplace
yx2601816404-sys

Skill

by yx2601816404-sys · GitHub ↗ · v2.3.1
cross-platform ⚠ suspicious
925
Downloads
0
Stars
1
Active Installs
15
Versions
Install in OpenClaw
/install skill-store
Description
Smart skill installation advisor for ClawHub. Searches for skills matching your needs, evaluates candidates on security (via skill-shield), code quality, and...
Usage Guidance
This skill is an advisor that will use your clawhub CLI to install and inspect other skills and will run a local skill-shield scanner. That is consistent with its purpose but: (1) clarify the metadata mismatch — it DOES need clawhub and a scanner even though metadata claims 'zero external dependencies'; (2) only run it in a disposable or isolated workspace (use --workdir pointing at a temp directory or container) because 'clawhub install' can run package install hooks from third-party skills; (3) verify the scanner path (SKILL_SHIELD_SCANNER) and review the generated report before allowing any recommended installation; (4) if you need higher assurance, run the tool with --top 1 and inspect the candidate skill contents manually before letting it install or recommend anything; (5) if the author can explain/correct the contradictory metadata (required binaries/env vs declared none), that will raise confidence.
Capability Analysis
Type: OpenClaw Skill Name: skill-store Version: 2.3.1 The 'skill-store' skill, designed for security evaluation, contains critical vulnerabilities. The `scripts/evaluate.py` script allows arbitrary code execution via the `--scanner` argument and arbitrary file write/deletion via the `--workdir` argument, due to insufficient input validation when handling user-provided paths. Additionally, the `webapp/index.html` is vulnerable to Cross-Site Scripting (XSS) as it directly interpolates skill names and descriptions from `skills.json` into the DOM without proper sanitization. While these flaws could enable severe attacks, there is no clear evidence of intentional malicious behavior by the 'skill-store' itself; rather, they are vulnerabilities in its implementation.
Capability Assessment
Purpose & Capability
SKILL.md and scripts/evaluate.py implement a ClawHub search/install + skill-shield scan + quality scoring pipeline — that matches the name/description. However the top-level metadata claims 'zero external dependencies' and lists no required binaries/env, while the README and script clearly require the 'clawhub' CLI and access to a skill-shield scanner (or SKILL_SHIELD_SCANNER env). This mismatch is incoherent and should be clarified.
Instruction Scope
The runtime instructions and evaluate.py stay within the advertised scope: they search ClawHub, install candidate skills into a working directory, run a security scanner, inspect files to measure quality, and produce reports. That said, installing arbitrary skills (even into a temporary workdir) and running their scanners means you will execute code from untrusted packages (via the clawhub install process and any install hooks those skills contain). That behavior is expected for this tool but is an important security consideration.
Install Mechanism
There is no install spec (instruction-only). The package includes a Python script you run manually; nothing in the skill metadata writes installers or downloads code on install time. The script itself will download/install candidate skills using the external 'clawhub' tool when you run it — that is expected for the stated purpose.
Credentials
The skill metadata declares no required env vars, but evaluate.py checks SKILL_SHIELD_SCANNER and the SKILL.md requires an authenticated clawhub CLI and access to skill-shield's scan.py. The script also probes user home paths for a local scanner copy. These environment/credential requirements are reasonable for the tool's function, but the metadata omission is misleading and should be corrected.
Persistence & Privilege
The skill is not marked always:true and does not attempt to modify other skills or global agent configuration. It writes to and cleans up a working directory and can uninstall candidate dirs. No persistent privileged presence is requested by the skill itself.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install skill-store
  3. After installation, invoke the skill by name or use /skill-store
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.3.1
849 skill scan data (A=157, B=83, C=59, D=50, F=35, 465 doc-only). 864 skills installed.
v2.3.0
836 skill scan data (A=156, B=78, C=59, D=50, F=35, 458 doc-only). 851 skills installed.
v2.2.1
694 skill scan data refresh (196 safe, 120 risky, 378 doc-only). 703 skills installed.
v2.2.0
694 skill scan data (135 A, 61 B, 47 C, 42 D, 31 F, 378 doc-only). Up from 393 in v2.1.0.
v2.1.0
v2.1.0: 393 skills scanned. 121 safe, 62 risky, 210 doc-only. 85 A-rated.
v2.0.0
v2.0.0: 374 skills scanned. 116 safe, 61 risky, 197 doc-only. 81 A-rated skills.
v1.9.0
v1.9.0: 358 skills scanned (was 336). 115 safe, 60 risky, 183 doc-only. 80 A-rated skills.
v1.8.0
v1.8.0: 336 skills scanned (was 307). 109 safe, 52 risky, 175 doc-only.
v1.7.0
v1.7.0: 307 skills scanned (was 258). 94 safe, 50 risky, 163 doc-only. 300+ milestone.
v1.6.0
v1.6.0: 258 skills scanned (was 201). 77 safe, 43 risky, 138 doc-only.
v1.5.0
v1.5.0: 201 skills scanned (was 181). 64 safe, 35 risky, 102 doc-only. Scanned with skill-shield v0.6.1.
v1.4.0
Updated scan data to 181 skills
v1.3.0
v1.3.0: Updated scan data with skill-shield v0.4.0 (142 skills). A-rated: 22→42.
v1.2.0
v1.2.0: Bundle store-app Web UI with pre-scanned data for 108 skills. Updated skill-shield integration to v0.3.1 dual rating.
v1.1.0
v1.1.0: Smart skill installation advisor. Search, evaluate, compare, recommend. Uses skill-shield dual rating.
Metadata
Slug skill-store
Version 2.3.1
License
All-time Installs 1
Active Installs 1
Total Versions 15
Frequently Asked Questions

What is Skill?

Smart skill installation advisor for ClawHub. Searches for skills matching your needs, evaluates candidates on security (via skill-shield), code quality, and... It is an AI Agent Skill for Claude Code / OpenClaw, with 925 downloads so far.

How do I install Skill?

Run "/install skill-store" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Skill free?

Yes, Skill is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Skill support?

Skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Skill?

It is built and maintained by yx2601816404-sys (@yx2601816404-sys); the current version is v2.3.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments