← Back to Skills Marketplace
218
Downloads
1
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install skills-registry-manager
Description
管理和安装 Claude Code skills 的工具。Use when: 列出可用skills、有哪些skills、安装skill、管理skills、添加订阅、列出订阅、查看订阅、删除订阅、取消订阅。NOT for: 与 skill 管理无关的任务。
Usage Guidance
这份技能在功能上自洽:它可以管理本地注册表并从远程/本地订阅加载 skills。但请注意:
- 远程或第三方注册表可以包含任意 install 字段(npx 命令、git 仓库 URL、或本地路径引用),代理按指令会下载并执行这些安装步骤——这等同于允许第三方在你的机器上安装/执行代码。仅添加你完全信任的订阅源。
- 订阅加载是递归的:恶意注册表可以链式引用其他注册表,扩大影响范围。添加订阅前最好先用浏览器或手动 fetch 并审查注册表文件内容(尤其是 install 字段)。
- 本技能会展开环境变量并解析相对路径,这有助于路径解析,但也可以被构造为引用敏感本地路径(例如 $HOME 下的配置文件)。不要将指向敏感文件的本地路径作为订阅 URL,且在添加本地订阅前确认其内容。
- npx/git clone 会引入并可能执行第三方代码。对于不信任的 skill,请优先手动审查源码或在隔离环境中安装。
如果你打算使用此技能:只订阅受信任的注册表,审查注册表中每个 skill 的 install 字段的含义,避免自动接受未知来源的安装命令;如有可能,在沙箱或容器中先测试安装流程。
Capability Analysis
Type: OpenClaw Skill
Name: skills-registry-manager
Version: 1.1.0
This skill acts as a package manager for Claude Code skills, capable of fetching remote registry files and executing shell commands (npx, git clone, cp) based on their content. While these functions are aligned with its stated purpose, the SKILL.md instructions create a significant Remote Code Execution (RCE) risk by directing the agent to expand environment variables via shell 'echo' and execute arbitrary strings from the 'install' field of a YAML registry. The ability to add remote subscriptions (e.g., to https://raw.githubusercontent.com/gavinyao/awesome-skills/main/registry.yaml) means the agent could be induced to run malicious payloads if a subscribed registry is compromised or untrusted.
Capability Assessment
Purpose & Capability
技能名称、描述与所需操作一致:维护 registry.yaml、列出/安装/管理 skills、支持 npx/git/local 安装与订阅管理,所描述的行为与实现指令相符。
Instruction Scope
SKILL.md 要求递归加载本地与远程订阅(可互相引用)、按订阅中定义的 install 字段运行 npx/git/cp 等命令,并在加载本地路径时读取文件内容;这些操作会使代理在不显著受限的情况下执行远程/第三方提供的安装命令并读取本机文件,扩大了攻击面。
Install Mechanism
技能本身无 install spec(仅为 instruction-only),这是较低的静态风险;但运行时隐含会执行 npx、git clone、cp 等命令——这些是功能需要但会导致代码下载与执行,因此风险取决于订阅源的可信度。
Credentials
技能不要求任何声明的凭据或环境变量,但说明中允许展开任意环境变量($HOME、$HOSTNAME、$USER 等)并基于它们解析路径。虽然这对实现路径解析有正当理由,但若恶意注册表引导读取敏感路径或构造路径引用敏感变量,会造成信息暴露。
Persistence & Privilege
没有设置 always:true,默认的自治调用也未单独放大权限;技能会修改其 registry.yaml(添加/删除订阅),这是其预期职责,未见要求修改其他技能或系统范围配置的说明。
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install skills-registry-manager - After installation, invoke the skill by name or use
/skills-registry-manager - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
默认订阅 awesome-skills 注册表,新用户开箱即用;统一命名为 skill-registry-manager
v1.0.0
Initial release: manage and install Claude Code skills with subscription support
Metadata
Frequently Asked Questions
What is Skill Registry Manager?
管理和安装 Claude Code skills 的工具。Use when: 列出可用skills、有哪些skills、安装skill、管理skills、添加订阅、列出订阅、查看订阅、删除订阅、取消订阅。NOT for: 与 skill 管理无关的任务。 It is an AI Agent Skill for Claude Code / OpenClaw, with 218 downloads so far.
How do I install Skill Registry Manager?
Run "/install skills-registry-manager" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Skill Registry Manager free?
Yes, Skill Registry Manager is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Skill Registry Manager support?
Skill Registry Manager is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Skill Registry Manager?
It is built and maintained by gavinyao (@gavinyao); the current version is v1.1.0.
More Skills