← Back to Skills Marketplace
rpm-packager
by
yukariccccccc
· GitHub ↗
· v1.0.0
396
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install rpm-packager
Description
Build installable RPM packages from source code on CentOS/RHEL by creating SPEC files and compiling for versions 7, 8, or 9 RPM-based systems.
Usage Guidance
This skill appears to do what it says: build RPMs using local build tools. Before using it: (1) review the included script and spec-template yourself (they are provided); (2) run builds on a non-sensitive machine or VM if you have any doubt; (3) ensure you have the required tooling installed (rpm-build, mock, gcc, make) — SKILL.md mentions them but the metadata does not; (4) the script writes to ~/rpmbuild and will include whatever is in your source directory in the package, so verify source contents to avoid packaging secrets; and (5) do not run the sudo install commands unless you trust the environment. Overall the skill is coherent and low-risk, but the metadata omissions are a documentation gap to be aware of.
Capability Analysis
Type: OpenClaw Skill
Name: rpm-packager
Version: 1.0.0
The skill is classified as suspicious due to a critical command injection vulnerability in `scripts/build-rpm.sh`. User-provided inputs such as `PACKAGE_NAME`, `VERSION`, and `RELEASE` are directly embedded into the generated RPM SPEC file without sanitization. This allows a malicious user to inject arbitrary commands into the SPEC file, which `rpmbuild` will execute, leading to potential Remote Code Execution (RCE). Additionally, the `SKILL.md` explicitly instructs the agent to use `sudo` for system package management, providing a high-privilege execution path that could be abused if the agent is prompted with malicious instructions or inputs.
Capability Assessment
Purpose & Capability
The skill's name/description match the included files: a build script and SPEC template that create RPMs. However, the registry metadata declares no required binaries or OS restriction while SKILL.md and the script clearly rely on rpm-build, mock, gcc/make and expect CentOS/RHEL tooling. This is a documentation inconsistency (not necessarily malicious) that could confuse users about what must be installed.
Instruction Scope
The SKILL.md instructions and build script stay within the stated scope: preparing source, creating a tarball, generating a SPEC file, and running rpmbuild/mock. They require sudo only for installing prerequisites (not for the build itself). There are no instructions to read unrelated system files, exfiltrate data, or call external endpoints.
Install Mechanism
This is an instruction-only skill with no install spec — lowest-risk install model. All code is included in the bundle (scripts and templates); there are no downloads from external URLs or archive extraction from untrusted hosts.
Credentials
The skill does not request credentials or secrets. It does use optional environment variables (RPM_BUILDER_NAME, RPM_BUILD_DIR) documented in SKILL.md and consumed by the script, but none are declared in the skill's metadata. This is a minor mismatch in metadata vs. behavior but not a secret-exfiltration risk.
Persistence & Privilege
The skill does not request persistent or elevated platform privileges (always:false). It writes build outputs under the user's home (~/rpmbuild) and runs build tools locally. The only privileged action mentioned is using sudo to install prerequisite packages, which is standard for preparing a build environment.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install rpm-packager - After installation, invoke the skill by name or use
/rpm-packager - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of rpm-packager.
- Build RPM packages from source code for CentOS/RHEL systems.
- Includes automated script for building packages with sample usage.
- Guides for preparing source, installing prerequisites, and running the build process.
- Instructions for customizing SPEC files and handling dependencies.
- Supports builds for CentOS 7/8/9 using mock.
- Documents output locations, environment variables, and security notes.
Metadata
Frequently Asked Questions
What is rpm-packager?
Build installable RPM packages from source code on CentOS/RHEL by creating SPEC files and compiling for versions 7, 8, or 9 RPM-based systems. It is an AI Agent Skill for Claude Code / OpenClaw, with 396 downloads so far.
How do I install rpm-packager?
Run "/install rpm-packager" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is rpm-packager free?
Yes, rpm-packager is completely free (open-source). You can download, install and use it at no cost.
Which platforms does rpm-packager support?
rpm-packager is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created rpm-packager?
It is built and maintained by yukariccccccc (@yukariccccccc); the current version is v1.0.0.
More Skills