← Back to Skills Marketplace

Path-Dispatch

Name: Path-Dispatch
Author: turinfohlen

by TurinFohlen · GitHub ↗ · v1.0.4 · MIT-0

cross-platform ⚠ suspicious

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install path-dispatch

Description

Discrete Hamiltonian task dispatch for multi-hop workflows. Maps task dependencies as a graph, precomputes reachability matrices, and solves constrained path...

Usage Guidance

This skill appears to do what it claims, but exercise caution before running it. Specific recommendations: - Review the included scripts/dispatch.py yourself (or in a sandbox) before executing. The code uses pickle to save/load a .cache file (filepath.cache). Unpickling attacker-controlled files can run arbitrary code; only use caches you created/trust. - If you will run this on untrusted triples files or in shared directories, set PATH_DISPATCH_NO_CACHE=1 to disable caching (SKILL.md documents this) or ensure cache files are access-controlled and created only by you. - The package requires numpy and scipy.sparse (requirements.txt) but no install mechanism is provided; install these dependencies in a controlled environment (virtualenv/container) prior to use. - Prefer running the script in an isolated environment (container/VM) until you validate its behavior and outputs. - If you plan to let an agent invoke this skill autonomously, consider restricting which input file paths the agent can pass to it, to avoid the agent pointing the script at unexpected files or attacker-controlled cache files. If you want, I can: (a) point out the exact lines to change to replace pickle with a safe serialization format, (b) produce a minimal install spec (pip) to include dependencies, or (c) produce a sandboxed wrapper that validates cache contents before unpickling.

Capability Analysis

Type: OpenClaw Skill Name: path-dispatch Version: 1.0.4 The skill implements a graph-based task dispatcher using a custom triple format. The primary security concern is the use of 'pickle.load()' in 'scripts/dispatch.py' to load cached graph data from a file. This creates a Remote Code Execution (RCE) vulnerability if an attacker can place a malicious '.cache' file in the working directory. While 'SKILL.md' includes a security note warning about this behavior and provides a method to disable it (PATH_DISPATCH_NO_CACHE=1), the inclusion of inherently unsafe deserialization logic for a caching feature is a high-risk vulnerability.

Capability Assessment

✓ Purpose & Capability

Name/description, SKILL.md, and the included Python code are coherent: the script parses triple-formatted workflow files, builds a normalized graph with virtual nodes, precomputes reachability, and provides matrix/path/query/deps commands matching the stated purpose.

ℹ Instruction Scope

Instructions only tell the agent to run the provided CLI (python dispatch.py <file> ...). They operate on user-supplied triples files and create/read a local cache file (filepath.cache). No instructions attempt to read unrelated system credentials or exfiltrate data, but the script will open arbitrary files the agent points it at (the intended triples file and its .cache).

⚠ Install Mechanism

This is an 'instruction-only' skill with bundled Python code and a requirements.txt listing numpy and scipy.sparse but no install spec. There's no declared mechanism for installing dependencies, so the runtime may fail or an installer step (not specified) might be needed — the missing install spec is a deployment/runtime inconsistency.

⚠ Credentials

No required credentials are requested (ok). SKILL.md documents an optional env var PATH_DISPATCH_NO_CACHE to disable caching — the registry didn't list any env variables, which is acceptable for optional flags but is an inconsistency to note. More importantly, the script loads and saves a pickle-based cache (filepath.cache) using pickle.load/pickle.dump which can execute arbitrary code if that cache file is attacker-controlled; allowing the agent to read or accept cache files from untrusted locations is a real risk.

ℹ Persistence & Privilege

always:false and no system-wide configuration changes are requested (ok). The skill writes per-workflow cache files (filepath.cache) in the same directory as the triples file — this is expected for caching but increases risk surface because those files are untrusted input to pickle on subsequent runs.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install path-dispatch
After installation, invoke the skill by name or use /path-dispatch
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.4

- Added backup metadata file `_meta.json.bak` for the skill. - Updated environment variable configuration: removed 不存在的 `PATH_DISPATCH_PICKLE_CACHE` in SKILL.md.

v1.0.3

- Added documentation for environment variables: `PATH_DISPATCH_NO_CACHE` and `PATH_DISPATCH_PICKLE_CACHE`. - No functional code changes; documentation and metadata update only.

v1.0.2

No changes detected in code or documentation for version 1.0.2. - 增加了安全提示。规避莫名其妙不知所谓的审核。天哪，谁会去故意乱读二进制文件呢，这根本就没有在设计内。 - All features and behaviors remain the same as the previous release.

v1.0.1

- Major refactor: All logic is now contained in a new scripts/dispatch.py module, replacing the previous dispatch.py root file. - Added requirements.txt for explicit dependency declaration. - Removed sample documentation files (example_binary.md, example_hyperedge.md) from the codebase. - Added package structure with scripts/__init__.py. - SKILL.md updated to clarify script usage, caching, and to increase documented task sequence scale (now 10-1000+ steps).

v1.0.0

Initial release of path-dispatch, a skill for Hamiltonian task dispatch in multi-hop workflows. - Maps task dependencies as a graph and precomputes reachability matrices for efficient decision-making. - Supports complex workflows with 10–100+ steps, allowing LLMs to sequence tasks without losing intermediate state. - Handles hyperedges (multi-source/multi-target tasks) via virtual node normalization, enabling parallel dispatch. - Provides efficient `next_hops` queries to determine valid next steps within a given step budget, preventing dead ends. - Command-line interface for graph building, path finding, and dependency querying, with support for markdown triple input format.

Metadata

Slug path-dispatch

Version 1.0.4

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 5

Frequently Asked Questions

What is Path-Dispatch?

Discrete Hamiltonian task dispatch for multi-hop workflows. Maps task dependencies as a graph, precomputes reachability matrices, and solves constrained path... It is an AI Agent Skill for Claude Code / OpenClaw, with 72 downloads so far.

How do I install Path-Dispatch?

Run "/install path-dispatch" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Path-Dispatch free?

Yes, Path-Dispatch is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Path-Dispatch support?

Path-Dispatch is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Path-Dispatch?

It is built and maintained by TurinFohlen (@turinfohlen); the current version is v1.0.4.

More Skills