← Back to Skills Marketplace
Agent Marketplace
by
yuyonghao-123
· GitHub ↗
· v0.1.0
· MIT-0
130
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install yuyonghao-agent-marketplace
Description
Agent Marketplace enables skill discovery, rating, version control, dependency management, and installation with conflict detection and rollback support.
Usage Guidance
This package appears to implement a legitimate agent marketplace, but it will reach out to a remote registry and can download and write code to your filesystem (default installDir './skills' and cache './.marketplace-cache'). Before installing or running it: 1) Verify and trust the registry URL (change it from the default if necessary). 2) Run it in an isolated environment or container and set installDir/dataDir to a folder with limited privileges. 3) Review any downloaded skill code before executing it — the installer writes package.json and index.js files (or arbitrary blobs fetched from skill.downloadUrl). 4) If you operate in a sensitive environment, prefer a private/local registry and enable auditing of cached/install files. 5) Note there are no requested credentials, so no secrets appear to be exfiltrated by default; however, a compromised registry or malicious downloadUrl could deliver harmful code — treat remote sources as untrusted unless you control or verify them.
Capability Analysis
Type: OpenClaw Skill
Name: yuyonghao-agent-marketplace
Version: 0.1.0
The bundle implements a functional 'Agent Marketplace' for discovering and installing skills, which involves high-risk capabilities such as downloading remote code and performing local file operations. Specifically, `src/installer.js` contains logic to download packages from remote URLs and write code directly to the filesystem, while `src/registry.js` communicates with an external registry (clawhub.com). Although these behaviors are aligned with the stated purpose of a package manager and include some basic sanitization (e.g., regex-based filename filtering in the registry cache), the inherent risk of remote code execution and arbitrary file persistence without robust signature verification qualifies the bundle as suspicious under the provided criteria.
Capability Assessment
Purpose & Capability
Name/description (Agent Marketplace) align with the code and SKILL.md. The modules implement catalog, registry access, search, rating, installation, dependency resolution and rollback — all expected for a marketplace. No surprising credentials, binaries, or unrelated capabilities are requested.
Instruction Scope
SKILL.md instructs normal marketplace usage (search, getSkill, install, rate). Runtime behavior (from the code) includes remote registry requests, caching, writing a local cache and writing installed skill files (package.json, index.js if provided) into installDir and cache directories. The instructions do not ask for unrelated files or secrets, but the installer will fetch and persist remote code which broadens the agent's runtime scope (network I/O + filesystem writes).
Install Mechanism
This skill is instruction-only (no platform-level install spec). The code performs HTTP(S) requests to the configured registry (default https://clawhub.com/registry) and may download arbitrary package blobs via skill.downloadUrl. Fetched responses are cached and written to disk. This is expected for a marketplace, but fetching arbitrary URLs and writing code to disk is a higher-risk action if the registry or download URLs are untrusted.
Credentials
The skill declares no required environment variables, credentials, or config paths. Code stores local data under configurable directories (dataDir/cacheDir, installDir, backupDir) and records user preferences/ratings; it does not request external tokens. The lack of secret requirements is proportionate to the described functionality.
Persistence & Privilege
always is false and model invocation is allowed (default). The skill persists only under its own directories (.marketplace-cache, installDir './skills' by default) and manages its own installed/history files. It does not modify other skills' configurations or request system-wide privileges in the codebase provided.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install yuyonghao-agent-marketplace - After installation, invoke the skill by name or use
/yuyonghao-agent-marketplace - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial release of Agent Marketplace.
- Provides a system for skill discovery, rating, version management, and transactions.
- Features include searchable skill directory, user rating system, personal recommendations, and installation management.
- Supports publishing, updating, and compatibility checks for skills.
- Includes API for searching, installing, rating, and managing skill versions.
- Offers both basic and advanced usage examples in the documentation.
Metadata
Frequently Asked Questions
What is Agent Marketplace?
Agent Marketplace enables skill discovery, rating, version control, dependency management, and installation with conflict detection and rollback support. It is an AI Agent Skill for Claude Code / OpenClaw, with 130 downloads so far.
How do I install Agent Marketplace?
Run "/install yuyonghao-agent-marketplace" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Agent Marketplace free?
Yes, Agent Marketplace is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Agent Marketplace support?
Agent Marketplace is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Agent Marketplace?
It is built and maintained by yuyonghao-123 (@yuyonghao-123); the current version is v0.1.0.
More Skills