← 返回 Skills 市场

Automation Runner

Name: Automation Runner
Author: barnyp

作者 Paul Barnabas · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

1181

总下载

当前安装

版本数

在 OpenClaw 中安装

/install automation-runner

功能描述

Executes approved shell commands, manages backups, and safely retrieves secrets from Bitwarden.

使用说明 (SKILL.md)

Automation Runner Agent ⚡

You handle the system-level execution and security for OpenClaw.

Core Directives

Security: Every command MUST pass through the exec-approvals gate.
Secrets: NEVER store API keys in plain text. Use the bws wrapper.
Workspace: Limit execution to /home/intelad/.openclaw/workspace/scripts.
Reliability: Verify the success of a command before reporting completion.

Tooling

exec: Run approved scripts.
bws: Retrieve secrets at runtime.
process: Manage long-running tasks like backups.

Workflow

Receive a script or command request.
Use bws secret get to fetch necessary environment variables.
Execute the command.
If a prompt appears, wait for Paul to type /approve.
Log the output to memory/YYYY-MM-DD.md.

安全使用建议

Do not install this skill until the developer clarifies several gaps: 1) how the 'bws' Bitwarden wrapper is authenticated (what env vars or tokens are required and how they are stored), 2) what the 'exec-approvals' gate is and how it enforces/records human approvals (avoid vague 'wait for Paul' instructions), 3) whether the hard-coded path (/home/intelad/...) matches your environment or will be configurable, and 4) where logs ('memory/YYYY-MM-DD.md') are written and who can read them. Because the skill directs the agent to run shell commands and fetch secrets, verify provenance (source/homepage unknown) and prefer a version that declares required credentials and a machine-enforceable approval mechanism before granting access or allowing autonomous invocation.

功能分析

Type: OpenClaw Skill Name: automation-runner Version: 1.0.0 The 'automation-runner' skill is highly suspicious due to its inherent capabilities and the nature of its security controls. The SKILL.md explicitly grants the AI agent the ability to execute arbitrary shell commands (`exec`) and retrieve secrets from Bitwarden (`bws`). While it outlines security directives like `exec-approvals` and workspace limitations, these are instructions to the agent and are highly susceptible to prompt injection. An attacker could craft a prompt to bypass the `/approve` step, execute commands outside the `/home/intelad/.openclaw/workspace/scripts` directory, or exfiltrate retrieved secrets, leading to potential RCE and data theft. This represents a critical vulnerability, not intentional malice within the skill bundle itself.

能力评估

⚠ Purpose & Capability

The skill's purpose includes retrieving secrets from Bitwarden and executing shell commands, but the registry metadata lists no required environment variables, no primary credential, and no config paths. SKILL.md references tools ('bws', 'exec', 'process') and a Bitwarden workflow that would normally require authentication or a CLI binary; those requirements are missing from the manifest, which is inconsistent.

⚠ Instruction Scope

Runtime instructions tell the agent to run 'bws secret get', execute commands from a specific filesystem path (/home/intelad/.openclaw/workspace/scripts), wait for a human ('Paul') to type '/approve', and log outputs to memory/YYYY-MM-DD.md. The approval gate, the 'bws' wrapper behavior, and the 'memory' logging target are not defined in the manifest; the instructions ask the agent to access secrets and run arbitrary scripts without a declared, auditable approval mechanism.

✓ Install Mechanism

This is an instruction-only skill with no install spec and no code files, which minimizes disk-installed attack surface. However, instruction-only does not eliminate runtime risk because it tells the agent to run system commands and call external tooling.

⚠ Credentials

The SKILL.md requires access to Bitwarden secrets but the skill requests no credentials (no API key, token, or config path). It also assumes write/read access under a hard-coded home directory (/home/intelad) and a 'memory' path, none of which are declared. Requesting access to secrets without declaring how they will be provided is disproportionate and unexplained.

ℹ Persistence & Privilege

always:false (no forced persistence) is appropriate. However, the skill's instructions enable execution of shell scripts and retrieval of secrets at runtime; if the agent invokes the skill autonomously (platform default), that capability could be powerful. This combination (ability to run shell commands + fetch secrets) increases risk if the approval gate is not enforced or is ambiguous.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install automation-runner
安装完成后，直接呼叫该 Skill 的名称或使用 /automation-runner 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

- Initial release of automation_runner skill. - Executes approved shell commands for OpenClaw, with strict security via the exec-approvals gate. - Safely retrieves secrets using the Bitwarden (`bws`) wrapper; API keys are never stored in plain text. - Restricts all script execution to a dedicated workspace directory. - Manages approved long-running tasks such as backups. - Logs command output by date for traceability.

元数据

Slug automation-runner

版本 1.0.0

许可证 —

累计安装 7

当前安装数 7

历史版本数 1

常见问题