← 返回 Skills 市场
Catch My Skill
作者
russellfei
· GitHub ↗
· v1.0.0
408
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install catch-my-skill
功能描述
自动检测本地与线上 skill 版本差异 - 支持 ClawHub/GitHub,定期检查更新
使用说明 (SKILL.md)
Catch My Skill
自动检测本地与线上 skill 版本差异
功能
-
📋 维护两个列表
- 本地 skill 列表(含版本)
- 线上 skill 列表(ClawHub + GitHub)
-
⏰ 定时检查
- 每半小时自动获取线上版本
- 对比本地与线上版本差异
-
🔔 版本告警
- 本地落后时提醒更新
- 支持手动触发检查
列表文件
| 文件 | 说明 |
|---|---|
data/local.json |
本地 skill 列表 |
data/online.json |
线上 skill 列表 |
设计初衷
高粘性使用 - 只保留用户真正在用的 skills,避免装一堆不用的。
初始化流程
1. 首次运行 init
↓
2. 自动获取线上所有 skills(ClawHub + GitHub)
↓
3. 生成完整本地列表(含版本)
↓
4. 用户删除不想要的 skill
↓
5. 后续只跟踪保留下来的 skills
用户操作
# 首次初始化(从线上拉取全部)
/catch-my-skill init
# 删除不想要的 skill(减少跟踪)
/catch-my-skill remove white-stone-mem
# 添加回想跟踪的 skill
/catch-my-skill add elegant-sync
# 检查版本
/catch-my-skill check
# 本地落后时自动更新(任选一个渠道)
/catch-my-skill update elegant-sync
数据格式
local.json
{
"skills": [
{"name": "white-stone-mem", "version": "1.0.0", "path": "~/.openclaw/skills/white-stone-mem"},
{"name": "elegant-sync", "version": "1.0.1", "path": "~/.openclaw/skills/elegant-sync"}
],
"updated": "2026-02-28T16:00:00Z"
}
online.json
{
"clawhub": [
{"name": "white-stone-mem", "version": "1.0.0", "owner": "russellfei"},
{"name": "elegant-sync", "version": "1.0.3", "owner": "russellfei"}
],
"github": [
{"name": "minimax-mcp-call", "version": "1.0.0", "owner": "russellfei", "repo": "russellfei/minimax-mcp-call"}
],
"updated": "2026-02-28T16:00:00Z"
}
配置
自动检查间隔
在 .backup.env 中配置:
# 检查间隔(分钟),默认 30 分钟
CATCH_INTERVAL=30
GitHub 用户名
GITHUB_USERNAME=russellfei
工作流程
1. 定时触发(每30分钟)
↓
2. 获取 ClawHub 线上版本(clawhub inspect)
↓
3. 获取 GitHub 线上版本(gh api)
↓
4. 对比本地版本
↓
5. 输出差异报告
↓
6. 本地落后 → 提醒更新
输出示例
=== Skill 版本检查 ===
本地落后需更新:
⚠️ elegant-sync: 本地 1.0.1 \x3C 线上 1.0.3
本地已是最新:
✅ white-stone-mem: 1.0.0
✅ minimax-mcp-call: 1.0.0
线上新技能:
(无)
定时任务
自动添加到 crontab:
# 每30分钟检查
*/30 * * * * node /path/to/catch-my-skill/index.js check >> /home/orangepi/.openclaw/logs/catch-my-skill.log 2>&1
安装
# 复制到 skills 目录
cp -r catch-my-skill ~/.openclaw/workspace/skills/
# 初始化
node index.js init
更新日志
- 2026-02-28: 初始版本
安全使用建议
Before installing, be aware of these points:
- Claims vs implementation: The README says it fetches all online skills, but the code only checks a hard-coded KNOWN_SKILLS list and only queries ClawHub for the periodic check. If you expect automatic discovery of every skill on ClawHub/GitHub, this implementation doesn't do that.
- Shell commands: The script runs shell commands (clawhub inspect/install, git clone) with execSync and interpolated strings. That will clone and install code from remote repos when you run update. Only run this on a machine where you're comfortable allowing those operations, and review the repos it will clone.
- Input sanitization: update uses the skill name directly in shell commands. If you run update with untrusted names, there is a risk of command injection. Prefer to only update skills from trusted names, or inspect/modify the code to validate names or use safer child_process APIs (no shell interpolation).
- File access: The skill reads/writes ~/.openclaw/.backup.env, ~/.openclaw/workspace/skills, and its own data/*.json files. Check the .backup.env file for unexpected content before use.
- Practical checks: If you plan to use it, consider reviewing index.js (particularly getOnlineSkills/initLocal/updateSkill) and either (a) remove or expand the hard-coded KNOWN_SKILLS, (b) add input validation/sanitization for skill names, and (c) confirm you want cron-style periodic checks that will run these commands.
Given the mismatches and the use of shell operations, proceed with caution and inspect/adjust the code to match your security expectations before enabling automated runs.
功能分析
Type: OpenClaw Skill
Name: catch-my-skill
Version: 1.0.0
The skill is classified as suspicious due to a critical shell injection vulnerability found in `index.js`. The `updateSkill` function uses `execSync` with unsanitized user input (`process.argv[3]`) when constructing `git clone` and `clawhub install` commands, which allows for arbitrary command execution. Additionally, `SKILL.md` instructs the agent to establish persistence via a cron job, which, while intended for legitimate updates, could be leveraged by an attacker exploiting the shell injection vulnerability.
能力评估
Purpose & Capability
The README/SKILL.md claim the tool will fetch 'all online skills (ClawHub + GitHub)', but the code only queries a hard-coded KNOWN_SKILLS list and only uses ClawHub for the periodic 'online' scan. GitHub is only used when attempting an update (git clone). The skill also reads ~/.openclaw/.backup.env (for GITHUB_USERNAME and interval) despite the registry metadata declaring no required env — this is a mismatch between claims and actual behavior.
Instruction Scope
Runtime instructions and the code generally align, but there are discrepancies: SKILL.md/README imply broader online discovery while the code limits discovery to a fixed list. The code executes shell commands (clawhub inspect, git clone, clawhub install) via execSync without sanitizing inputs; it reads/writes files under the user's home (~/.openclaw/workspace/skills and the skill's data/ directory). The skill suggests adding a cron job but does not itself add one.
Install Mechanism
No remote install or download step is declared and the package is instruction-only with a local index.js. Nothing in the manifest downloads arbitrary code at install time. However, runtime operations (git clone, clawhub install) will fetch remote repositories when you run update, which is expected for an updater.
Credentials
The registry lists no required environment variables, yet the code will read ~/.openclaw/.backup.env for GITHUB_USERNAME and CATCH_INTERVAL. These are not secrets, but the skill does access a user file not declared in metadata. No credentials (tokens/keys/passwords) are requested or used by the code as written.
Persistence & Privilege
The skill does not request always:true and does not modify other skills' configs. It writes its own data files under its data/ directory and interacts with ~/.openclaw/workspace/skills, which is consistent with an updater/tracker.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install catch-my-skill - 安装完成后,直接呼叫该 Skill 的名称或使用
/catch-my-skill触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
自动检测本地与线上 skill 版本差异
元数据
常见问题
Catch My Skill 是什么?
自动检测本地与线上 skill 版本差异 - 支持 ClawHub/GitHub,定期检查更新. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 408 次。
如何安装 Catch My Skill?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install catch-my-skill」即可一键安装,无需额外配置。
Catch My Skill 是免费的吗?
是的,Catch My Skill 完全免费(开源免费),可自由下载、安装和使用。
Catch My Skill 支持哪些平台?
Catch My Skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Catch My Skill?
由 russellfei(@russellfei)开发并维护,当前版本 v1.0.0。
推荐 Skills