← Back to Skills Marketplace
Catch My Skill
by
russellfei
· GitHub ↗
· v1.0.0
408
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install catch-my-skill
Description
自动检测本地与线上 skill 版本差异 - 支持 ClawHub/GitHub,定期检查更新
README (SKILL.md)
Catch My Skill
自动检测本地与线上 skill 版本差异
功能
-
📋 维护两个列表
- 本地 skill 列表(含版本)
- 线上 skill 列表(ClawHub + GitHub)
-
⏰ 定时检查
- 每半小时自动获取线上版本
- 对比本地与线上版本差异
-
🔔 版本告警
- 本地落后时提醒更新
- 支持手动触发检查
列表文件
| 文件 | 说明 |
|---|---|
data/local.json |
本地 skill 列表 |
data/online.json |
线上 skill 列表 |
设计初衷
高粘性使用 - 只保留用户真正在用的 skills,避免装一堆不用的。
初始化流程
1. 首次运行 init
↓
2. 自动获取线上所有 skills(ClawHub + GitHub)
↓
3. 生成完整本地列表(含版本)
↓
4. 用户删除不想要的 skill
↓
5. 后续只跟踪保留下来的 skills
用户操作
# 首次初始化(从线上拉取全部)
/catch-my-skill init
# 删除不想要的 skill(减少跟踪)
/catch-my-skill remove white-stone-mem
# 添加回想跟踪的 skill
/catch-my-skill add elegant-sync
# 检查版本
/catch-my-skill check
# 本地落后时自动更新(任选一个渠道)
/catch-my-skill update elegant-sync
数据格式
local.json
{
"skills": [
{"name": "white-stone-mem", "version": "1.0.0", "path": "~/.openclaw/skills/white-stone-mem"},
{"name": "elegant-sync", "version": "1.0.1", "path": "~/.openclaw/skills/elegant-sync"}
],
"updated": "2026-02-28T16:00:00Z"
}
online.json
{
"clawhub": [
{"name": "white-stone-mem", "version": "1.0.0", "owner": "russellfei"},
{"name": "elegant-sync", "version": "1.0.3", "owner": "russellfei"}
],
"github": [
{"name": "minimax-mcp-call", "version": "1.0.0", "owner": "russellfei", "repo": "russellfei/minimax-mcp-call"}
],
"updated": "2026-02-28T16:00:00Z"
}
配置
自动检查间隔
在 .backup.env 中配置:
# 检查间隔(分钟),默认 30 分钟
CATCH_INTERVAL=30
GitHub 用户名
GITHUB_USERNAME=russellfei
工作流程
1. 定时触发(每30分钟)
↓
2. 获取 ClawHub 线上版本(clawhub inspect)
↓
3. 获取 GitHub 线上版本(gh api)
↓
4. 对比本地版本
↓
5. 输出差异报告
↓
6. 本地落后 → 提醒更新
输出示例
=== Skill 版本检查 ===
本地落后需更新:
⚠️ elegant-sync: 本地 1.0.1 \x3C 线上 1.0.3
本地已是最新:
✅ white-stone-mem: 1.0.0
✅ minimax-mcp-call: 1.0.0
线上新技能:
(无)
定时任务
自动添加到 crontab:
# 每30分钟检查
*/30 * * * * node /path/to/catch-my-skill/index.js check >> /home/orangepi/.openclaw/logs/catch-my-skill.log 2>&1
安装
# 复制到 skills 目录
cp -r catch-my-skill ~/.openclaw/workspace/skills/
# 初始化
node index.js init
更新日志
- 2026-02-28: 初始版本
Usage Guidance
Before installing, be aware of these points:
- Claims vs implementation: The README says it fetches all online skills, but the code only checks a hard-coded KNOWN_SKILLS list and only queries ClawHub for the periodic check. If you expect automatic discovery of every skill on ClawHub/GitHub, this implementation doesn't do that.
- Shell commands: The script runs shell commands (clawhub inspect/install, git clone) with execSync and interpolated strings. That will clone and install code from remote repos when you run update. Only run this on a machine where you're comfortable allowing those operations, and review the repos it will clone.
- Input sanitization: update uses the skill name directly in shell commands. If you run update with untrusted names, there is a risk of command injection. Prefer to only update skills from trusted names, or inspect/modify the code to validate names or use safer child_process APIs (no shell interpolation).
- File access: The skill reads/writes ~/.openclaw/.backup.env, ~/.openclaw/workspace/skills, and its own data/*.json files. Check the .backup.env file for unexpected content before use.
- Practical checks: If you plan to use it, consider reviewing index.js (particularly getOnlineSkills/initLocal/updateSkill) and either (a) remove or expand the hard-coded KNOWN_SKILLS, (b) add input validation/sanitization for skill names, and (c) confirm you want cron-style periodic checks that will run these commands.
Given the mismatches and the use of shell operations, proceed with caution and inspect/adjust the code to match your security expectations before enabling automated runs.
Capability Analysis
Type: OpenClaw Skill
Name: catch-my-skill
Version: 1.0.0
The skill is classified as suspicious due to a critical shell injection vulnerability found in `index.js`. The `updateSkill` function uses `execSync` with unsanitized user input (`process.argv[3]`) when constructing `git clone` and `clawhub install` commands, which allows for arbitrary command execution. Additionally, `SKILL.md` instructs the agent to establish persistence via a cron job, which, while intended for legitimate updates, could be leveraged by an attacker exploiting the shell injection vulnerability.
Capability Assessment
Purpose & Capability
The README/SKILL.md claim the tool will fetch 'all online skills (ClawHub + GitHub)', but the code only queries a hard-coded KNOWN_SKILLS list and only uses ClawHub for the periodic 'online' scan. GitHub is only used when attempting an update (git clone). The skill also reads ~/.openclaw/.backup.env (for GITHUB_USERNAME and interval) despite the registry metadata declaring no required env — this is a mismatch between claims and actual behavior.
Instruction Scope
Runtime instructions and the code generally align, but there are discrepancies: SKILL.md/README imply broader online discovery while the code limits discovery to a fixed list. The code executes shell commands (clawhub inspect, git clone, clawhub install) via execSync without sanitizing inputs; it reads/writes files under the user's home (~/.openclaw/workspace/skills and the skill's data/ directory). The skill suggests adding a cron job but does not itself add one.
Install Mechanism
No remote install or download step is declared and the package is instruction-only with a local index.js. Nothing in the manifest downloads arbitrary code at install time. However, runtime operations (git clone, clawhub install) will fetch remote repositories when you run update, which is expected for an updater.
Credentials
The registry lists no required environment variables, yet the code will read ~/.openclaw/.backup.env for GITHUB_USERNAME and CATCH_INTERVAL. These are not secrets, but the skill does access a user file not declared in metadata. No credentials (tokens/keys/passwords) are requested or used by the code as written.
Persistence & Privilege
The skill does not request always:true and does not modify other skills' configs. It writes its own data files under its data/ directory and interacts with ~/.openclaw/workspace/skills, which is consistent with an updater/tracker.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install catch-my-skill - After installation, invoke the skill by name or use
/catch-my-skill - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
自动检测本地与线上 skill 版本差异
Metadata
Frequently Asked Questions
What is Catch My Skill?
自动检测本地与线上 skill 版本差异 - 支持 ClawHub/GitHub,定期检查更新. It is an AI Agent Skill for Claude Code / OpenClaw, with 408 downloads so far.
How do I install Catch My Skill?
Run "/install catch-my-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Catch My Skill free?
Yes, Catch My Skill is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Catch My Skill support?
Catch My Skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Catch My Skill?
It is built and maintained by russellfei (@russellfei); the current version is v1.0.0.
More Skills