← Back to Skills Marketplace
150
Downloads
0
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install obs
Description
Comprehensive Open Build Service (OBS) management with full API support for projects, packages, repositories, builds, submit requests, files, users, and search.
Usage Guidance
What to check before installing/running:
- Review the two bundled scripts (references/obs-lib.sh and scripts/obs-expert-setup.sh) yourself; all code is included.
- The skill needs your OBS API token (OBS_USERNAME/OBS_TOKEN) or an oscrc file; only supply a token you trust and keep it minimal-scope and rotatable.
- The setup script will write ~/.config/osc/oscrc and can append credentials to your shell rc (~/.bashrc or ~/.zshrc). Prefer using ~/.config/osc/oscrc with chmod 600 rather than storing tokens in shell rc.
- Do not run the setup script as root unless you deliberately want to create system-wide symlinks; creating a symlink in /usr/local/bin requires root and expands the attack surface.
- The API library uses eval to construct curl commands; if you plan to pass filenames or other inputs containing untrusted content, inspect or sanitize inputs to avoid command injection.
- Test in a safe environment (non-production user or container) first. If you proceed, rotate the token after initial testing and follow least-privilege practices.
- If anything looks unexpected (external endpoints other than api.opensuse.org, unusual network calls, or credential exfiltration), do not proceed and ask for clarification from the author.
Capability Analysis
Type: OpenClaw Skill
Name: obs
Version: 1.0.1
The skill bundle provides a comprehensive interface for Open Build Service (OBS) management but contains a critical shell injection vulnerability in 'references/obs-lib.sh'. The 'obs_api_call' function uses 'eval' to execute 'curl' commands, which can be exploited for remote code execution (RCE) if an attacker or a malicious prompt influences the arguments (such as the 'data' or 'endpoint' parameters). While the tool's stated purpose is legitimate and the setup script 'scripts/obs-expert-setup.sh' follows standard (though sensitive) credential handling practices, the presence of such a high-risk coding flaw warrants a suspicious classification.
Capability Assessment
Purpose & Capability
Name/description (OBS management) match the included scripts and library: the skill calls the OBS API, manages projects/packages/builds/files, and asks for OBS credentials (API token or oscrc). The only minor inconsistency is that the registry metadata lists no required env vars while SKILL.md and the scripts clearly expect OBS_APIURL/OBS_USERNAME/OBS_TOKEN or ~/.config/osc/oscrc.
Instruction Scope
Runtime instructions and included scripts read/write user config (~/.config/osc/oscrc), may append credentials to shell rc files (~/.bashrc or ~/.zshrc), create temp cookie files in /tmp, and suggest creating a symlink in /usr/local/bin. The API helper uses eval to build and run curl commands (obs_api_call), which can introduce command‑injection risk if inputs are not strictly sanitized. These behaviors are within the tool's purpose but increase risk and should be reviewed before use.
Install Mechanism
No network install/downloads or external installers are used; this is an instruction-and-script package bundled with the skill. That lowers supply-chain risk compared with arbitrary remote downloads. All code is present in the repository for inspection.
Credentials
The credentials requested (OBS username and API token or oscrc) are appropriate for an OBS client. However, the skill metadata did not declare these required env vars even though SKILL.md and scripts depend on them; that's an inconsistency to be aware of. The setup script stores the token in ~/.config/osc/oscrc and optionally appends it to the user shell rc — storing secrets in shell rc is not best practice.
Persistence & Privilege
The skill does not request global 'always' privilege. The included setup script writes to per-user config files and can append environment variables to shell rc; it also suggests creating a symlink in /usr/local/bin (which requires elevated privileges). These are reasonable for a CLI tool but require user consent and care (avoid running as root unless intended).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install obs - After installation, invoke the skill by name or use
/obs - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
Updated display name to lowercase
v1.0.0
Renamed from obs-expert to obs - Full OBS API coverage with bilingual documentation
Metadata
Frequently Asked Questions
What is obs?
Comprehensive Open Build Service (OBS) management with full API support for projects, packages, repositories, builds, submit requests, files, users, and search. It is an AI Agent Skill for Claude Code / OpenClaw, with 150 downloads so far.
How do I install obs?
Run "/install obs" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is obs free?
Yes, obs is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does obs support?
obs is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created obs?
It is built and maintained by wei dong (@weidongkl); the current version is v1.0.1.
More Skills