← Back to Skills Marketplace
610
Downloads
1
Stars
4
Active Installs
1
Versions
Install in OpenClaw
/install sync-trending
Description
Monitior technology trends (GitHub, etc.), contextualize them against the user's project, and autonomously verify them through installation and testing. Use...
Usage Guidance
This skill does what it says — it will look at your local project and, if you approve, clone and run third‑party repositories to verify them. That is powerful but risky: cloning and installing dependencies can execute arbitrary code (via postinstall scripts or build steps) and might access or leak data. Before using this skill, consider the following: 1) Only allow deep dives when you trust the repository and explicitly grant permission each time. 2) Prefer the skill be changed to use strong isolation (run clones inside a disposable VM or container, drop privileges, and avoid cloning into your home directory). 3) Require and enforce dependency isolation (Python virtualenv/venv, use npm ci with --ignore-scripts or install in a container) to reduce postinstall risk. 4) Never let it access secrets or environment variables; verify the agent's memory ('save_memory') does not contain sensitive data. 5) If you need stronger guarantees, run manual verifications yourself in an isolated environment or ask the skill author to add explicit sandboxing instructions. Providing the skill with explicit sandbox/container steps or a policy that forbids global installs would reduce my concern.
Capability Analysis
Type: OpenClaw Skill
Name: sync-trending
Version: 0.1.0
This skill is classified as suspicious due to its inherent design to execute arbitrary, untrusted code from external sources. The `SKILL.md` explicitly instructs the agent to use `run_shell_command` to `git clone` repositories and then run build/install commands (`npm install`, `pip install`, `npm start`) based on instructions found in the untrusted repository's `README.md`. While the skill includes safety guidelines like requiring explicit user permission, cloning into a temporary directory, and instructing the agent not to expose secrets, the act of executing code from untrusted trending repositories (a known supply chain attack vector) poses a significant risk of remote code execution if a trending project is malicious or compromised. This represents a critical vulnerability rather than intentional malice by the skill itself.
Capability Assessment
Purpose & Capability
Name/description match the instructions: fetching trending sources, contextualizing against the user's project, and verifying repos by cloning/running them are coherent with the skill's stated purpose.
Instruction Scope
The SKILL.md directs the agent to read local project files (README.md, package.json) and — with user permission — to git clone, install dependencies, and run third‑party code. While it requires asking permission before cloning/executing, it lacks concrete, safe sandboxing steps (containerization, virtualenv, non-root user), and it explicitly clones into a home subdirectory (~/.gemini/tmp/) rather than an isolated ephemeral environment.
Install Mechanism
Instruction-only skill with no install spec or external downloads; this minimizes install-time risk. The primary risk comes from runtime behavior (cloning and running untrusted code), not from the skill installing software itself.
Credentials
The skill requests no environment variables or credentials, which is appropriate, but it instructs reading local project files and checking 'save_memory' — actions that can expose secrets. The SKILL.md advises not to expose secrets but does not specify how to detect or avoid accidentally reading/transmitting them. Dependency installs (npm/pip) and repository code may trigger arbitrary network activity or postinstall scripts that access local resources.
Persistence & Privilege
always:false and default model invocation are appropriate. The skill does not request permanent presence or modify other skills. The main privilege concern is runtime (ability to clone/run code) rather than persistence.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install sync-trending - After installation, invoke the skill by name or use
/sync-trending - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial release of sync-trending.
- Monitors technology trends (e.g., GitHub Trending) and contextualizes them for the user's project.
- Provides "Contextualized Trend Reports" linking trending tools to project-specific value.
- Offers to verify trends by cloning and testing repositories, with explicit user permission.
- Summarizes verification outcomes and, if desired, generates actionable reports or integration plans.
- Includes strong safety guidelines for handling third-party code.
Metadata
Frequently Asked Questions
What is sync-trending?
Monitior technology trends (GitHub, etc.), contextualize them against the user's project, and autonomously verify them through installation and testing. Use... It is an AI Agent Skill for Claude Code / OpenClaw, with 610 downloads so far.
How do I install sync-trending?
Run "/install sync-trending" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is sync-trending free?
Yes, sync-trending is completely free (open-source). You can download, install and use it at no cost.
Which platforms does sync-trending support?
sync-trending is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created sync-trending?
It is built and maintained by K (@likw99); the current version is v0.1.0.
More Skills