← Back to Skills Marketplace
don-gbot

Source Library

by Don-GBot · GitHub ↗ · v2.1.1
cross-platform ⚠ suspicious
677
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install source-library
Description
Searchable knowledge base that captures and cross-references everything users share. Auto-triggers when user shares ANY URL (article, tweet, thread, repo, vi...
Usage Guidance
This skill appears to do what it says: create and manage a local markdown knowledge base. Before installing or enabling auto-triggering, consider the following: - Privacy: the skill auto-processes and saves any URL shared in chat. If you (or other users) sometimes post private links, one-off auth-bearing URLs, or internal resources, those could be written to disk. Avoid sharing sensitive links while it's enabled or disable the auto-trigger. - Workspace location: set OPENCLAW_WORKSPACE to a directory you control (or run setup in a sandbox workspace) so saved files go where you expect (life/source/*). Review permissions on that directory. - Inspect remainder of code: the provided source shows only filesystem operations; however a truncated portion remains. Review the full scripts/source-library.js to confirm there are no network fetches or remote endpoints used when auto-processing. - Run tests in a sandbox: run scripts/test.js with OPENCLAW_WORKSPACE pointed to a disposable temp directory to see behavior and outputs before using with real data. - Canonicalization limits: the code strips some tracking params (utm_*, fbclid, gclid, etc.) but will not remove secrets embedded in URL paths or uncommon query param names. Be careful with token-bearing URLs. - Control auto-processing: if you want the library but not automatic captures, install the skill but do not enable the agent-side auto-trigger, or use the CLI manually to save only links you want persisted. If you want me to, I can (a) scan the remaining truncated portion of scripts/source-library.js for network activity and hidden behavior, (b) produce a checklist of file-system paths and example commands to sandbox the skill safely, or (c) highlight exact lines to change to disable automatic saving.
Capability Analysis
Type: OpenClaw Skill Name: source-library Version: 2.1.1 The skill is vulnerable to shell injection due to the `SKILL.md`'s auto-trigger behavior combined with `allowed-tools: "Bash(node:*)"`. The agent is instructed to execute `node scripts/source-library.js save` with arguments derived from user-shared URLs (e.g., `--name`, `--url`, `--claims`). If these user-controlled values are not properly sanitized by the agent before constructing the Bash command, a malicious user could inject arbitrary shell commands. Additionally, the agent is instructed to 'Analyze with context' using content from user-populated markdown files, creating a potential prompt injection vector against the agent itself.
Capability Assessment
Purpose & Capability
Name/description match what is provided: Node.js scripts that create and manage a local markdown-based knowledge base under life/source. The skill requires no credentials, no external binaries, and the code reads/writes workspace files to implement the described features (save, list, search, connections, queue). There are no environment variables or binaries requested that are unrelated to the purpose.
Instruction Scope
SKILL.md instructs the agent to auto-process any URL shared in chat and to run the included node script commands. The runtime instructions and code operate on workspace files and call node scripts via shell (allowed-tools 'Bash(node:*)'), which is consistent with the described behavior. This auto-triggering can capture links the user didn't intend to persist. The visible code performs filesystem traversal to find a workspace root and reads/writes files under life/source; that is coherent but has privacy implications. The provided files do not show arbitrary network calls, but the SKILL.md implies automatic analysis (agent-level summarization) — review the rest of the code (the truncated portion) to confirm no web fetching or remote endpoints are contacted when auto-processing.
Install Mechanism
No install spec is provided (instruction-only install), so nothing is downloaded or extracted during install. The package includes only local Node.js scripts and a package.json; there are no remote URLs, third-party packages fetched by the skill itself, or installation steps that would pull arbitrary code from the network.
Credentials
The skill requests no secrets or API keys. It optionally respects OPENCLAW_WORKSPACE to locate the workspace root, which is proportionate. There are no credentials or config paths declared that would grant access to unrelated services.
Persistence & Privilege
always:false and disable-model-invocation:false (defaults) — the skill can be invoked autonomously by the agent, and SKILL.md describes automatic triggers on shared URLs. The skill writes persistent markdown files under the user's workspace (life/source). This is expected for a knowledge-base skill, but combined with the auto-capture behavior it increases the risk of unintentionally persisting sensitive URLs or metadata. The skill does not request system-wide privileges or attempt to modify other skills' configs.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install source-library
  3. After installation, invoke the skill by name or use /source-library
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.1.1
Clean republish, improved README with usage examples
v2.1.0
Decay tracking, cross-references, conflict detection, connection mapping, hybrid search support
Metadata
Slug source-library
Version 2.1.1
License
All-time Installs 0
Active Installs 0
Total Versions 2
Frequently Asked Questions

What is Source Library?

Searchable knowledge base that captures and cross-references everything users share. Auto-triggers when user shares ANY URL (article, tweet, thread, repo, vi... It is an AI Agent Skill for Claude Code / OpenClaw, with 677 downloads so far.

How do I install Source Library?

Run "/install source-library" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Source Library free?

Yes, Source Library is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Source Library support?

Source Library is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Source Library?

It is built and maintained by Don-GBot (@don-gbot); the current version is v2.1.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments