← 返回 Skills 市场

CLAUDE.md Auto Discovery

Name: CLAUDE.md Auto Discovery
Author: shaoxiang616

作者 shaoxiang616 · GitHub ↗ · v0.1.0 · MIT-0

cross-platform ⚠ suspicious

113

总下载

当前安装

版本数

在 OpenClaw 中安装

/install claude-md-auto-discovery

功能描述

Automatically discovers and loads CLAUDE.md files in the project root with support for @include directives and reverse order loading up to 40,000 characters.

使用说明 (SKILL.md)

CLAUDE.md 自动发现技能

自动发现并加载项目根目录的 CLAUDE.md 文件，参考 Claude Code 实现。

功能

自动查找 ./CLAUDE.md 和 ./ CLAUDE.md
支持 @include 指令
最大 40000 字符限制
逆序加载（后面的文件优先级更高）

触发条件

当用户发送消息时自动执行
无需用户手动调用

实现

使用 fs.readFileWithinRoot 读取文件
遍历当前工作目录向上查找
解析 @include 指令
注入到系统上下文

安全使用建议

What to check before installing: - Confirm the trigger model: SKILL.md says it auto-runs on each user message, but the registry does not set always:true. Ask the author how and when the skill is invoked by the agent. - Understand what will be injected: the code will read any CLAUDE.md files in the current directory and up to 3 parents and print their contents (combined and truncated). If your repo stores sensitive info in such files, that content could be added to the agent's system prompt/context. - Ask about @include handling: the README promises @include parsing but neither Python nor Node files implement it — this is a functional mismatch you should resolve. - Note there are no network calls or credential requests in the code, which lowers exfiltration risk, but the main risk is sensitive local content being loaded into the agent context. Consider testing in a sandboxed project or asking for code updates to explicitly implement and document include handling, invocation semantics, and any safety filters (e.g., skip files in .git or CI folders) before using in sensitive environments.

功能分析

Type: OpenClaw Skill Name: claude-md-auto-discovery Version: 0.1.0 The skill implements a discovery mechanism for 'CLAUDE.md' files to inject project-specific instructions into the agent's system context. It is classified as suspicious because it instructs the agent to automatically execute and inject unvalidated file content into the system prompt, creating a high-risk prompt injection vector. Furthermore, the code specifically searches for a file with a leading space (' CLAUDE.md') in `claude-md.py` and `discover.mjs`, which is a common technique for hiding files, and the documentation in `SKILL.md` claims to support features like '@include' that are entirely absent from the actual implementation.

能力评估

ℹ Purpose & Capability

Name and description claim automatic discovery and loading of CLAUDE.md files; the included Python and Node scripts implement upward traversal (up to 4 levels), reverse-order loading, and truncation to 40,000 chars — this matches the advertised core capability. However SKILL.md promises @include handling which neither code file implements, so there is a mismatch between stated capabilities and actual code.

⚠ Instruction Scope

SKILL.md states the skill will '自动执行' (auto-run) when the user sends a message and references an agent API (fs.readFileWithinRoot) and 'inject into system context'. The registry flags show always:false (not force-enabled) and the code files are simple CLI-style scripts that read local files and print combined content. The conflict between 'auto-run on every message' in SKILL.md and the registry metadata plus the lack of an explicit runtime hook is a behavioral ambiguity. The code reads files from the current working directory and up to 3 parents, which is within scope for discovery but does mean repository contents (potentially sensitive project text) will be loaded into the agent/system context.

✓ Install Mechanism

No install spec is provided (instruction-only skill) and the package contains two simple code files (Python and Node) with no remote downloads, no npm/go installs, and no extract-from-URL steps. That lowers install-time risk; the files are plain source and do not perform network calls.

✓ Credentials

The skill declares no required environment variables, credentials, or config paths. The code does perform local filesystem reads limited to files named 'CLAUDE.md' (and a variant with a leading space) in the working directory and up to 3 parent directories; that access is proportional to the stated purpose but still may surface project content into the agent context.

ℹ Persistence & Privilege

The skill is not marked always:true and does not request elevated system privileges. However SKILL.md explicitly claims automatic execution on every user message; since model-invocation is enabled by default (disable-model-invocation:false), the agent could still autonomously call the skill if the platform's skill routing allows it. This discrepancy between documentation and metadata should be clarified.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install claude-md-auto-discovery
安装完成后，直接呼叫该 Skill 的名称或使用 /claude-md-auto-discovery 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v0.1.0

Initial release with automated CLAUDE.md discovery and loading. - Automatically searches for and loads ./CLAUDE.md and variations in the project root. - Supports @include directives within CLAUDE.md. - Enforces a 40,000 character limit. - Loads files in reverse order, giving higher priority to later files. - Executes automatically on user message, no manual trigger required.

元数据

Slug claude-md-auto-discovery

版本 0.1.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题