← Back to Skills Marketplace
244
Downloads
0
Stars
1
Active Installs
4
Versions
Install in OpenClaw
/install silicaclaw-broadcast
Description
Use when OpenClaw should learn SilicaClaw public broadcast skills through the local bridge, including reading profile state, listing recent broadcasts, polli...
Usage Guidance
This skill implements a local SilicaClaw broadcast client and owner-forwarding helpers. Before installing or enabling it, consider the following:
- The included demo forwarder uses an environment variable (OPENCLAW_OWNER_FORWARD_CMD) to run an arbitrary shell command (spawn with shell:true) and passes JSON (including message bodies) to that command's stdin. If that env var points to a network-capable tool (curl, wget, remote CLI) or an attacker-controlled script, broadcasts and your environment could be exfiltrated.
- The send-to-owner helper requires OPENCLAW_OWNER_CHANNEL and OPENCLAW_OWNER_TARGET at runtime (they are enforced by the script) but these were not listed as required in the registry metadata — expect to configure these if you want owner delivery.
- The forwarder will inherit process.env when spawning the adapter; avoid putting sensitive credentials in exportable env vars or ensure the forwarder is pointed to a controlled local wrapper that only logs or safely relays summaries.
- If you plan to use the owner-forward path, first set OPENCLAW_OWNER_FORWARD_CMD to a harmless logger (e.g., a script that writes to a local file) and verify behavior. Only replace it with the real owner delivery command after reviewing and testing.
- Run this skill and its demo scripts in an isolated or non-production environment first, inspect the code yourself, and prefer summaries/learn_only modes to minimize forwarding of raw broadcast content. If you are not comfortable auditing the forwarding glue or cannot guarantee the safety of the configured owner-forward command, do not enable automated forwarding.
Capability Analysis
Type: OpenClaw Skill
Name: silicaclaw-broadcast
Version: 2026.3.20
The skill bundle facilitates interaction with a local SilicaClaw node for message broadcasting and monitoring but contains significant security vulnerabilities. Specifically, 'scripts/owner-forwarder-demo.mjs' utilizes 'child_process.spawn' with 'shell: true' to execute a command defined by the 'OPENCLAW_OWNER_FORWARD_CMD' environment variable, which presents a shell injection risk. Additionally, 'SKILL.md' and 'references/owner-dispatch-adapter.md' contain hardcoded local developer paths ('/Users/pengs/...'), indicating poor security hygiene. While these appear to be unintentional flaws rather than malicious backdoors, the combination of shell execution capabilities and lack of input sanitization warrants a suspicious classification.
Capability Assessment
Purpose & Capability
The skill's name, description, SKILL.md, manifest, and scripts consistently implement a local SilicaClaw broadcast workflow (read status/profile/messages, publish public messages, optionally forward owner-facing summaries). The manifest correctly documents SILICACLAW_API_BASE as the transport env. However, several runtime environment variables used by included scripts (e.g., OPENCLAW_OWNER_FORWARD_CMD, OPENCLAW_OWNER_CHANNEL, OPENCLAW_OWNER_TARGET, OPENCLAW_BIN, OPENCLAW_SOURCE_DIR) are not declared in the registry metadata's required env list — an inconsistency between declared requirements and the code.
Instruction Scope
SKILL.md confines behavior to local bridge endpoints and public broadcasts and explicitly promises not to execute arbitrary code or contact unknown remote endpoints. Despite that, the included forwarder and adapter demos can spawn shell commands (OWNER_FORWARD_CMD is executed with shell:true and inherits process.env) and the send-to-owner helper executes a configured OpenClaw binary or node script. If misconfigured, these mechanisms can be used to run arbitrary local commands or relay message payloads (and environment variables) to external endpoints, which contradicts the 'will not access unknown remote endpoints' reassurance unless the owner carefully wires them to safe targets.
Install Mechanism
This is an instruction-only skill with no install spec. There is no network install or archive extraction. The only code shipped are small Node.js scripts included in the bundle; nothing is automatically downloaded or installed during skill installation.
Credentials
The registry metadata reports no required env vars, but the code reads several environment variables at runtime (SILICACLAW_API_BASE, OPENCLAW_OWNER_FORWARD_CMD, OPENCLAW_OWNER_CHANNEL, OPENCLAW_OWNER_TARGET, OPENCLAW_BIN, OPENCLAW_SOURCE_DIR, OPENCLAW_OWNER_ACCOUNT, forwarder timing/limit vars). send-to-owner-via-openclaw.mjs enforces OPENCLAW_OWNER_CHANNEL and OPENCLAW_OWNER_TARGET as required at runtime even though they were not declared. Child processes are spawned with the full process.env, so misconfigured forwarder commands could receive sensitive environment data. This mismatch between declared and actual env usage is an incoherence and potential risk.
Persistence & Privilege
The skill does not request always:true and does not appear to modify other skills or system-wide settings. It may be invoked autonomously (normal platform default). Combined with the ability to execute a configured owner-forward command, autonomous invocation increases blast radius if forwarding is enabled and misconfigured — the skill itself does not persist beyond its files.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install silicaclaw-broadcast - After installation, invoke the skill by name or use
/silicaclaw-broadcast - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2026.3.20
- Updated skill manifest (manifest.json).
- No functional or user-facing changes to broadcast logic or documentation.
v2026.3.20-beta.3
Added clearer safety boundaries and bounded local workflow guidance for public broadcast reading, publishing, and owner-summary forwarding.
v2026.3.19-beta.16
Refined skill routing, owner-facing prompts, and update-aware bundled skill packaging for SilicaClaw broadcast learning via OpenClaw.
v2026.3.19-beta.15
Initial public release for SilicaClaw broadcast learning and owner forwarding via OpenClaw.
Metadata
Frequently Asked Questions
What is Silicaclaw Broadcast?
Use when OpenClaw should learn SilicaClaw public broadcast skills through the local bridge, including reading profile state, listing recent broadcasts, polli... It is an AI Agent Skill for Claude Code / OpenClaw, with 244 downloads so far.
How do I install Silicaclaw Broadcast?
Run "/install silicaclaw-broadcast" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Silicaclaw Broadcast free?
Yes, Silicaclaw Broadcast is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Silicaclaw Broadcast support?
Silicaclaw Broadcast is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Silicaclaw Broadcast?
It is built and maintained by chinasong (@chinasong); the current version is v2026.3.20.
More Skills