← Back to Skills Marketplace
406
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install skill-isolator
Description
Project-based skill isolation and management. Enables different projects to use different skill sets with automatic loading based on current working director...
Usage Guidance
What to check before using this skill:
- The sync script runs 'clawhub install <skill>' via execSync. Make sure you have the 'clawhub' CLI installed and trust it before running the sync script; the skill does not declare this as a required binary in its metadata.
- The scripts will read and write files under your home directory (e.g., ~/.openclaw/cache, ~/.openclaw/logs, ~/.openclaw/skills). If you prefer not to have those paths written, review/modify the code first.
- Example config mentions GitHub token (GITHUB_TOKEN) for git sources; if you later enable git/url sources you may need to expose credentials. The current sync script reports git/url as 'not yet implemented', but the validate/example files reference auth, so be cautious if you edit configs to include credentials.
- SKILL.md says skills will 'auto-sync on project enter' — the package provides flags and config options but no background watcher; you'll need to wire the sync script into your shell, editor, or agent to get automatic behavior.
- Recommended actions: inspect the scripts locally (they are small and readable), run validate-config.js on any config you create, and run sync-project-skills.js in a test directory first to observe what it writes and what external commands it invokes. If you do not want the 'clawhub' dependency or any network installs, avoid running the sync script or remove/modify the installFromClawhub function.
Capability Analysis
Type: OpenClaw Skill
Name: skill-isolator
Version: 1.0.0
The skill bundle provides a utility for project-based skill isolation but contains a shell injection vulnerability. In `scripts/sync-project-skills.js`, the `installFromClawhub` function uses `execSync` to execute shell commands constructed directly from the `skillName` and `version` fields found in the `.openclaw-skills.json` configuration file without any sanitization. A maliciously crafted configuration file could exploit this to run arbitrary system commands. While the overall logic appears aligned with its stated purpose and lacks evidence of intentional malice or data exfiltration, the high-risk implementation of system calls qualifies it as suspicious.
Capability Assessment
Purpose & Capability
The skill's name/description align with the included scripts (init, validate, sync) and the file layout. However, the runtime code invokes an external 'clawhub' CLI to install skills even though the skill metadata does not declare any required binaries; the SKILL.md and examples also reference git/url sources and optional auth (GITHUB_TOKEN) even though git/url support is 'not yet implemented' in the sync script. These are inconsistencies between claimed capabilities and actual implementation or declared requirements.
Instruction Scope
SKILL.md instructs the agent/user to create project config files and run the provided scripts. The scripts scan up to 10 parent directories for .openclaw-skills.json, read/write cache and log files under ~/.openclaw (or APPDATA path), and call external installers. The SKILL.md promises 'automatic' loading on project enter; the repo only provides scripts and configuration options for autoSync, but no background hook/daemon — auto-sync would need a shell or agent integration to run the sync script on directory change. The scripts access typical environment variables (HOME, APPDATA, USERPROFILE) and filesystem paths which is expected for this functionality.
Install Mechanism
There is no remote install specification (no downloads or extract steps). All code is included in the package and the sync script runs local actions and calls the external 'clawhub' command. This is low-risk from an installation artifact perspective, but runtime exec of external commands is present.
Credentials
The package declares no required environment variables, but the scripts read standard environment variables (HOME, APPDATA, USERPROFILE) to determine cache/skill/log locations — this is reasonable. Example configs and validate logic reference an 'auth' object that can point to an env var (e.g., GITHUB_TOKEN) for git sources; the code currently logs that git/url support is unimplemented but the presence of that example means a user could add auth/env-based settings later. The inconsistency is that the skill does not explicitly state it may use credentials for git or other sources.
Persistence & Privilege
The skill does not request always:true or modify other skills' configs. It writes cache and logs to ~/.openclaw and installs skills into ~/.openclaw/skills — that is expected for its purpose. Autonomous invocation by the model is enabled by default on the platform, but the skill itself is implemented as CLI scripts; there's no evidence it autonomously registers a persistent background service. The SKILL.md's 'auto-sync on project enter' is a configuration feature, not an implemented background watcher in the code.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install skill-isolator - After installation, invoke the skill by name or use
/skill-isolator - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release providing project-based skill isolation, multi-source support, and automated management.
- Enables per-project skill isolation and automatic loading based on current working directory.
- Supports multiple skill sources (clawhub, local, git, url) with priority-based resolution and version locking.
- Provides scripts for skill synchronization, configuration validation, and interactive setup.
- Integrates caching, conflict resolution, and auto-sync on project entry or missing skills.
- Offers troubleshooting guidance and best practices for project and team usage.
Metadata
Frequently Asked Questions
What is skill-isolator?
Project-based skill isolation and management. Enables different projects to use different skill sets with automatic loading based on current working director... It is an AI Agent Skill for Claude Code / OpenClaw, with 406 downloads so far.
How do I install skill-isolator?
Run "/install skill-isolator" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is skill-isolator free?
Yes, skill-isolator is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does skill-isolator support?
skill-isolator is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created skill-isolator?
It is built and maintained by Criss_Su (@sucriss); the current version is v1.0.0.
More Skills