← Back to Skills Marketplace
welkeyever

Dynamic Skill Manager

by Wenju Gao · GitHub ↗ · v1.0.1
cross-platform ✓ Security Clean
258
Downloads
0
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install dynamic-skill-manager
Description
Track and manage OpenClaw skills usage, find idle skills, and safely uninstall unused ones. Use when: - User wants to see what skills are installed or track...
README (SKILL.md)

Dynamic Skill Manager

Track skill usage, find idle skills, and safely manage skill lifecycle.

⚠️ Security Notice

v0.2.0 includes critical security fixes:

  • Path traversal vulnerability fixed in uninstall_skill()
  • Input validation for all skill names
  • Symlink attack prevention
  • System skill protection

Core Concepts

概念 说明
Dynamic Skill 按需安装的 skill,可清理
Pinned Skill 系统 skill,受保护不可删除
Registry skill 元数据存储

自动保护的系统 Skillsself-improving-agent, pahf, error-log-selfcheck, dynamic-skill-manager

Quick Start

# 同步已安装 skills 到注册表
python3 ~/.openclaw/workspace/skills/dynamic-skill-manager/scripts/skill_manager.py sync

# 列出所有 skills(📌 = pinned)
python3 ~/.openclaw/workspace/skills/dynamic-skill-manager/scripts/skill_manager.py list

# 查看系统 skills
python3 ~/.openclaw/workspace/skills/dynamic-skill-manager/scripts/skill_manager.py pinned

# 查找闲置 skills(N 天未使用)
python3 ~/.openclaw/workspace/skills/dynamic-skill-manager/scripts/skill_manager.py idle 30

# 安全卸载 skill(有输入验证)
python3 ~/.openclaw/workspace/skills/dynamic-skill-manager/scripts/skill_manager.py uninstall \x3Cskill-name>

# 记录 skill 使用
python3 ~/.openclaw/workspace/skills/dynamic-skill-manager/scripts/skill_manager.py track \x3Cskill> "\x3Ccontext>"

Data Location

~/.openclaw/workspace/.skill-manager/
├── registry.json      # Skill 元数据
├── usage-log.jsonl    # 使用历史
└── archive/           # 已卸载 skill 的元数据

Registry Schema

{
  "skills": {
    "skill-name": {
      "installed_at": "2026-03-07T03:00:00Z",
      "source": "clawhub",
      "usage_count": 5,
      "last_used": "2026-03-07T03:00:00Z",
      "context_keywords": ["keyword1"],
      "pinned": false
    }
  }
}

Integration Points

  • After skill use: track_usage(skill_name, context_summary)
  • On user request: list_skills(), find_idle_skills(days)

Security Features

The uninstall_skill() function includes multiple safety checks:

  1. Input Validation: Skill names must be alphanumeric with dashes/underscores only
  2. Path Traversal Prevention: Resolves paths and verifies containment within skills directory
  3. Symlink Detection: Rejects symlinks to prevent attacks
  4. System Skill Protection: Prevents accidental deletion of critical skills

Script Reference

See scripts/skill_manager.py for implementation.

Usage Guidance
This skill appears to do what it claims — manage and remove local skills — and it does not request unrelated credentials or external downloads. Things to consider before installing or enabling autonomous use: - Back up your ~/.openclaw/workspace/skills and registry before running uninstall/sync operations, because uninstall will remove directories with shutil.rmtree. - Usage logs (context strings) are written to ~/.openclaw/workspace/.skill-manager/usage-log.jsonl unencrypted; avoid sending sensitive user data into the track command or consider rotating/clearing logs. - There is a subtle implementation issue: the code calls Path.resolve() before checking for symlinks, so the intended symlink check may not always detect certain symlink attack patterns. Also consider TOCTOU race conditions between path checks and deletion. If you plan to use this in a multi-user or adversarial environment, ask the author to patch the uninstall logic (check is_symlink on the non-resolved path or inspect path components with lstat; perform atomic checks and removals or require extra confirmation for risky operations). - Consider disabling autonomous model invocation for this skill or requiring explicit user confirmation for uninstall operations to reduce the risk of accidental or automated deletions of skills (especially when using the --force option which overrides system-skill protection). If you want higher assurance, request the complete, untruncated source and ask the author to demonstrate fixes for the symlink/TOCTOU concerns and to add an explicit user confirmation step for destructive actions.
Capability Analysis
Type: OpenClaw Skill Name: dynamic-skill-manager Version: 1.0.1 The dynamic-skill-manager skill provides legitimate functionality for tracking and managing OpenClaw skill lifecycles, including usage tracking and cleanup of idle skills. The implementation in scripts/skill_manager.py includes robust security controls, such as regex-based input validation, path resolution checks to prevent traversal, and symlink detection before performing directory deletions. No evidence of data exfiltration, unauthorized execution, or malicious intent was found.
Capability Assessment
Purpose & Capability
Name/description match what the code and SKILL.md do: enumerate, track, find idle skills, archive and uninstall skills under ~/.openclaw/workspace/skills. Only python3 is required and no unrelated services or credentials are requested.
Instruction Scope
Instructions and script operate only on local OpenClaw paths (registry, usage log, skills directory). They perform destructive actions (shutil.rmtree on skill directories) which is expected for an uninstall tool, and they log usage context to disk. This matches the stated functionality, but the script stores usage/context locally (unencrypted) and can remove skill directories — the user should be aware that invoking uninstall will irrevocably delete skill files unless archived/backed up.
Install Mechanism
No external install or remote download steps; it's an instruction-only skill with an included Python script. Nothing is fetched from arbitrary URLs or package registries.
Credentials
No environment variables, credentials, or unrelated config paths are requested. The requested filesystem access is proportional to the purpose (reading/writing ~/.openclaw workspace files).
Persistence & Privilege
The skill is not always-enabled and requests no special platform privileges. However it can delete skill directories and update registry files; if the agent is allowed to invoke the skill autonomously (default model-invocation not disabled), an LLM could call uninstall operations without explicit user confirmation. Consider requiring explicit user confirmation for destructive actions or disabling autonomous invocation if you want to limit risk.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install dynamic-skill-manager
  3. After installation, invoke the skill by name or use /dynamic-skill-manager
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
**v0.2.0 includes important security improvements and new usage features:** - Fixed path traversal and symlink vulnerabilities in skill uninstallation - Added strict input validation for skill names - Enhanced system skill protection to prevent accidental deletion - Updated usage to include safe uninstall commands - Refined when agents should use or recommend this skill based on context and security
v1.0.0
Initial release of Dynamic Skill Manager for OpenClaw. - Install, uninstall, and list dynamic skills via command-line tools. - Track and log usage data for each skill, supporting context-aware recommendations. - Identify and cleanup unused (idle) skills after configurable inactivity. - Support for "pinned" system skills that cannot be cleaned up. - Centralized registry and log storage with clear data schema and integration points.
Metadata
Slug dynamic-skill-manager
Version 1.0.1
License
All-time Installs 1
Active Installs 1
Total Versions 2
Frequently Asked Questions

What is Dynamic Skill Manager?

Track and manage OpenClaw skills usage, find idle skills, and safely uninstall unused ones. Use when: - User wants to see what skills are installed or track... It is an AI Agent Skill for Claude Code / OpenClaw, with 258 downloads so far.

How do I install Dynamic Skill Manager?

Run "/install dynamic-skill-manager" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Dynamic Skill Manager free?

Yes, Dynamic Skill Manager is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Dynamic Skill Manager support?

Dynamic Skill Manager is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Dynamic Skill Manager?

It is built and maintained by Wenju Gao (@welkeyever); the current version is v1.0.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments