← Back to Skills Marketplace
761
Downloads
0
Stars
4
Active Installs
1
Versions
Install in OpenClaw
/install skillstore
Description
Search, install, and create OpenClaw skills using intelligent matching across built-in, local, and GitHub skill repositories.
Usage Guidance
This skill appears to do what it says: search built-in/local/GitHub skills and install/create skills. Before installing or using it, review the main.js install/exec logic (look for exactly what commands it runs when installing a GitHub repo). Expect the CLI to read sibling skill directories (it scans SKILL.md/README.md), and expect it to write a local config.json in the skill directory. When installing a skill from GitHub, manually inspect the repo (or test in an isolated environment) because installers commonly shell out and may run repo-provided scripts. Also note the docs claim a different local-skill path (~/.openclaw/...) than the code uses — verify where it will actually search on your system if that matters.
Capability Analysis
Type: OpenClaw Skill
Name: skillstore
Version: 1.0.0
The `main.js` file contains a critical shell injection vulnerability (RCE) in the `installFromGitHub` function. It uses `child_process.exec` with unsanitized `repo` and `name` variables, which are directly sourced from GitHub API responses. A malicious GitHub repository with a crafted name could exploit this to execute arbitrary commands on the system when a user attempts to install it. Additionally, the `createNewSkill` function, when invoked via `skillstore create <name>`, is vulnerable to code injection as it embeds the unsanitized `<name>` argument directly into the generated `main.js` template, allowing for arbitrary code to be injected into newly created skills.
Capability Assessment
Purpose & Capability
Name/description (search/install/create skills) align with the included code and docs. Minor mismatch: SKILL.md says local skills are in ~/.openclaw/workspace/skills/, but main.js.searchLocal looks at the parent directory of the skill (path.join(__dirname, '..')). That's inconsistent but plausibly an implementation detail.
Instruction Scope
SKILL.md instructs searching known, local, and GitHub sources and installing from GitHub. main.js implements these searches, reads local skill files (SKILL.md/README.md) in sibling directories, queries the GitHub search API, and references child_process.exec (used for installs). The instructions do not show exact install commands the script will run — the presence of exec means installs could run arbitrary shell commands from repos, which is expected behavior for an installer but increases risk if you don't review targets first.
Install Mechanism
No install spec is declared (instruction-only), and no external archive downloads or extract steps are present in repository metadata. The included main.js uses HTTPS to call the GitHub API and uses child_process.exec for operations (likely cloning/installing). No suspicious external download URLs or shorteners were found in the provided files.
Credentials
The skill declares no required env vars or credentials and its code does not read secrets or environment variables. It uses only public GitHub API calls and local filesystem access relative to the skill location.
Persistence & Privilege
The skill is not always-enabled, and it stores state in a local config.json (CONFIG_FILE in its directory). It does not request elevated privileges or modify other skills' configs according to the provided files.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install skillstore - After installation, invoke the skill by name or use
/skillstore - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
SkillStore is a new skill manager for OpenClaw, providing intelligent search, install, and skill creation features.
- Search for skills (built-in, local, and on GitHub) with fuzzy matching and relevance scores.
- Install skills directly from GitHub.
- Create new skills using templates via `skillstore create <name>`.
- Visual match scoring makes it easy to assess relevance at a glance.
- List installed skills and browse the built-in database of 20 popular skills.
- No setup required—works out of the box.
Metadata
Frequently Asked Questions
What is Skillstore?
Search, install, and create OpenClaw skills using intelligent matching across built-in, local, and GitHub skill repositories. It is an AI Agent Skill for Claude Code / OpenClaw, with 761 downloads so far.
How do I install Skillstore?
Run "/install skillstore" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Skillstore free?
Yes, Skillstore is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Skillstore support?
Skillstore is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Skillstore?
It is built and maintained by Glitch (@chris6970barbarian-hue); the current version is v1.0.0.
More Skills