← Back to Skills Marketplace

Trending Skills

Name: Trending Skills
Author: hjw21century

by hjw21century · GitHub ↗ · v0.1.0

cross-platform ⚠ suspicious

968

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install trending-skills

Description

Fetches skills.sh trending rankings. Use when asking about skill rankings or popular tools.

Usage Guidance

This skill appears to do what it says: scrape skills.sh for trending rankings and optionally fetch detail pages. Before installing/run: 1) Be aware you'll be asked to install Playwright and Chromium which download browser binaries and may require system libraries—use a virtual environment or container if you prefer isolation. 2) The code will perform HTTP requests to SKILLS_BASE_URL; ensure that env SKILLS_BASE_URL is not pointed to an untrusted host (default is https://skills.sh). 3) Review or run the Python scripts locally first if you want to inspect network traffic or output; no credentials are requested. 4) Minor note: src/__init__.py contains unrelated docstring text (likely leftover) but this looks like harmless leftover metadata rather than malicious behavior.

Capability Analysis

Type: OpenClaw Skill Name: trending-skills Version: 0.1.0 The skill is classified as suspicious due to several significant vulnerabilities, despite its stated benign purpose of fetching trending skills. The primary concerns are a potential shell injection vulnerability in SKILL.md where user input for `<skill-name>` is directly passed to `python src/detail_fetcher.py`, and a Server-Side Request Forgery (SSRF) risk. The `SKILLS_BASE_URL` in `src/config.py` is configurable via environment variables, allowing `src/detail_fetcher.py` and `src/skills_fetcher.py` to fetch data from arbitrary domains if the agent's environment is compromised. Furthermore, `src/skills_fetcher.py` launches a Chromium browser with `--no-sandbox` and `--with-deps` for Playwright, which, while sometimes necessary in containerized environments, significantly reduces the browser's security posture and amplifies the impact of an SSRF or browser exploit. There is no clear evidence of intentional malicious behavior such as data exfiltration to an attacker-controlled endpoint or backdoor installation.

Capability Assessment

✓ Purpose & Capability

Name/description (fetch skills.sh trending rankings) align with the included code and instructions. The Python files implement a Playwright-based scraper for the trending page and a requests/BeautifulSoup detail fetcher. No unrelated credentials, binaries, or config paths are requested.

ℹ Instruction Scope

SKILL.md gives concrete steps: run skills_fetcher.py (requires Playwright+chromium) for rankings and detail_fetcher.py (requires requests, bs4, lxml) for details. The runtime behavior is limited to HTTP GETs of skills.sh (or an alternate SKILLS_BASE_URL if the environment overrides it) and local HTML parsing. The only minor scope note: config supports SKILLS_BASE_URL env override — if set to an attacker-controlled host the scraper would fetch that host instead of the official site.

ℹ Install Mechanism

No explicit install spec in registry metadata (instruction-only), but SKILL.md instructs installing Playwright and running 'playwright install chromium --with-deps', which will download browser binaries and system dependencies via Playwright. This is expected for a headless-browser scraper but requires network access and elevated disk usage; the install commands come from public packages (pip/playwright).

✓ Credentials

The skill declares no required environment variables or credentials. The only relevant env var in code is SKILLS_BASE_URL (optional override) which is proportional to the scraper purpose. No secrets/tokens/keys are requested.

✓ Persistence & Privilege

always is false and the skill does not request persistent system-wide privileges or modify other skills. It runs as an on-demand scraper and does not attempt to store or escalate privileges.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install trending-skills
After installation, invoke the skill by name or use /trending-skills
Provide required inputs per the skill's parameter spec and get structured output

Version History

v0.1.0

Initial release of trending-skills. - Fetches and displays trending skill rankings from skills.sh. - Supports both ranking list queries (e.g., "Top 10 skills") and individual skill detail lookups. - Provides quick start usage examples and CLI commands. - Lists requirements and troubleshooting steps for setup. - No configuration is required for basic use.

Metadata

Slug trending-skills

Version 0.1.0

License —

All-time Installs 3

Active Installs 3

Total Versions 1

Frequently Asked Questions

What is Trending Skills?

Fetches skills.sh trending rankings. Use when asking about skill rankings or popular tools. It is an AI Agent Skill for Claude Code / OpenClaw, with 968 downloads so far.

How do I install Trending Skills?

Run "/install trending-skills" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Trending Skills free?

Yes, Trending Skills is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Trending Skills support?

Trending Skills is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Trending Skills?

It is built and maintained by hjw21century (@hjw21century); the current version is v0.1.0.

More Skills