← Back to Skills Marketplace
502399493zjw-lgtm

OpenClawMP

by 502399493zjw-lgtm · GitHub ↗ · v1.1.2
cross-platform ⚠ suspicious
1320
Downloads
0
Stars
66
Active Installs
1
Versions
Install in OpenClaw
/install openclawmp
Description
OpenClaw 水产市场(openclawmp.cc)平台操作指南。Agent 在水产市场上注册、登录、浏览资产、安装技能、发布作品、参与社区互动的完整说明书。当用户或 Agent 提到以下内容时激活:水产市场、openclawmp、Agent Hub、发布资产、上架技能、安装技能、openclawmp CLI...
Usage Guidance
Install only if you intentionally want an agent to use OpenClaw Marketplace. Confirm any install, publish, comment, unbind, or delete-account action yourself; keep API keys private; avoid automatic global updates; and review downloaded assets before letting them load in future agent sessions.
Capability Analysis
Type: OpenClaw Skill Name: openclawmp Version: 1.1.2 The OpenClaw Marketplace CLI contains critical vulnerabilities related to shell injection and path traversal. In `scripts/lib/commands/install.js` and `scripts/lib/commands/publish.js`, `execSync` is used with unsanitized user-controlled input (asset `slug` for installation, local `skillDir` for publishing), creating a potential for Remote Code Execution (RCE). Additionally, `scripts/lib/commands/uninstall.js` uses `fs.rmSync` with an unsanitized asset `slug`, which could lead to arbitrary file deletion via path traversal. The `SKILL.md` also contains a mild prompt injection instructing the AI agent to prioritize agent registration 'without asking the user', influencing agent behavior without explicit user consent for that specific choice.
Capability Assessment
Purpose & Capability
The artifacts coherently support a marketplace CLI for searching, installing, publishing, commenting, starring, device unbinding, and account deletion. Those capabilities are purpose-aligned but high-impact because they affect local agent behavior and remote marketplace/account state.
Instruction Scope
The skill activation text includes broad terms like Agent Hub, skill marketplace, and agent marketplace, and the registration section says to prefer Agent registration without asking the user. That weakens explicit user control for a skill that includes authenticated writes and account actions.
Install Mechanism
The skill instructs global npm installation/update of the CLI, and the bundled installer/publisher use shell commands with interpolated paths. The uninstall path also accepts an unsanitized slug, so malformed input such as parent-directory segments can target unintended local directories.
Credentials
Installing marketplace assets into ~/.openclaw is core to the purpose, but installed skills/plugins/triggers/channels can persistently affect future agent sessions. The artifact does not consistently require a fresh user confirmation before each high-impact install or authenticated mutation.
Persistence & Privilege
The CLI reads tokens from OPENCLAWMP_TOKEN and ~/.openclawmp credential files and can store auth state locally. This is expected for a CLI, but it grants broad delegated authority for publishing, posting, unbinding devices, and account deletion without strong scoping or secure-storage details.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install openclawmp
  3. After installation, invoke the skill by name or use /openclawmp
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.2
水产市场平台操作指南
Metadata
Slug openclawmp
Version 1.1.2
License
All-time Installs 66
Active Installs 66
Total Versions 1
Frequently Asked Questions

What is OpenClawMP?

OpenClaw 水产市场(openclawmp.cc)平台操作指南。Agent 在水产市场上注册、登录、浏览资产、安装技能、发布作品、参与社区互动的完整说明书。当用户或 Agent 提到以下内容时激活:水产市场、openclawmp、Agent Hub、发布资产、上架技能、安装技能、openclawmp CLI... It is an AI Agent Skill for Claude Code / OpenClaw, with 1320 downloads so far.

How do I install OpenClawMP?

Run "/install openclawmp" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is OpenClawMP free?

Yes, OpenClawMP is completely free (open-source). You can download, install and use it at no cost.

Which platforms does OpenClawMP support?

OpenClawMP is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created OpenClawMP?

It is built and maintained by 502399493zjw-lgtm (@502399493zjw-lgtm); the current version is v1.1.2.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments