← 返回 Skills 市场
E.x.O. Installer
作者
emberDesire
· GitHub ↗
· v0.4.1
1021
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install exo-installer
功能描述
Install, update, and monitor E.x.O. tools like jasper-recall and hopeIDS, manage OpenClaw plugins, and perform health checks with a single command.
使用说明 (SKILL.md)
exo-installer Skill
E.x.O. Ecosystem Manager
Install, update, and monitor all E.x.O. tools with a single command.
When to Use
- User wants to install E.x.O. tools (jasper-recall, hopeIDS, context-compactor)
- User asks about the E.x.O. ecosystem
- User needs to set up OpenClaw plugins
- User wants to check health of installed tools
Quick Start
# Install all public E.x.O. packages
npx exo-installer install --all
# Or install specific tools
exo install jasper-recall
exo install hopeIDS
exo install jasper-context-compactor
# Health check
exo doctor
exo doctor --json # For automation
Commands
| Command | Description |
|---|---|
exo install --all |
Install all public packages |
exo install \x3Cpkg> |
Install specific package |
exo update |
Update all installed packages |
exo doctor |
Health check all components |
exo doctor --json |
Health check with JSON output |
exo list |
List available packages |
exo internal clone |
Clone private repos (needs GitHub access) |
Available Packages
Public (npm)
| Package | Description |
|---|---|
jasper-recall |
Local RAG system for agent memory |
hopeIDS |
Behavioral anomaly detection |
jasper-context-compactor |
Token management for local models |
jasper-configguard |
Safe config changes with rollback |
Internal (GitHub)
| Repo | Description |
|---|---|
hopeClaw |
Meta-cognitive inference engine |
moraClaw |
Temporal orchestration agent |
task-dashboard |
Project management system |
exo-distiller |
Agent distillation pipeline |
Internal packages require GitHub org access:
exo internal clone
Health Check
$ exo doctor
🔍 E.x.O. Health Check
jasper-recall ................. ✅ v0.4.2
ChromaDB: ✅ connected
Embeddings: ✅ loaded
Documents: 847
hopeIDS ...................... ✅ v1.3.3
Analyzer: ✅ ready
Models: 3 loaded
jasper-context-compactor ...... ✅ v0.2.2
Overall: 3/3 healthy
Integration
After installing, tools auto-register with OpenClaw:
{
"extensions": {
"jasper-recall": { "enabled": true },
"hopeIDS": { "enabled": true },
"jasper-context-compactor": { "enabled": true }
}
}
Links
安全使用建议
What to consider before installing/running this skill:
- Trust the source: the CLI will run global npm installs and npx commands (these pull and execute third-party code). Only proceed if you trust the E.x.O. packages and the GitHub org listed.
- Missing declared requirements: the skill requires npm, npx, git and may need GitHub credentials and Telegram tokens for alerts, but these are not declared — expect to provide or have these configured in your environment.
- Local file access & persistence: it reads/writes ~/.openclaw/* and checks ~/projects paths; it can create state files and may modify OpenClaw config or set cron jobs. If you want to limit impact, run it in an isolated environment or container first.
- Private repo cloning: internal packages reference private repos/local paths. If you run the 'internal clone' command the skill will attempt to access your GitHub account or local project directories — verify what it will clone and where.
- Inspect the code: the shipped cli.js is readable; review the remainder of the truncated code paths (cron, telegram integration, internal clone) before use. Confirm how 'auto-register with OpenClaw' is implemented and whether it modifies other skills' configs.
If unsure: run the tool in a disposable VM/container, or request the maintainer to clarify required credentials (GitHub token, Telegram token), the exact changes performed on ~/.openclaw, and supply signed provenance (official GitHub repo) before granting it access to your primary environment.
功能分析
Type: OpenClaw Skill
Name: exo-installer
Version: 0.4.1
The skill 'exo-installer' is classified as suspicious due to its extensive use of `child_process.execSync` in `cli.js` to install global npm packages, execute `npx` commands, and clone GitHub repositories. While the commands executed are derived from hardcoded values in `packages.json` or internal logic, and do not appear to be directly vulnerable to user-input-based shell injection in this specific bundle, the inherent power of these operations (e.g., `npm install -g`, `git clone`) represents a significant attack surface and supply chain risk. Additionally, the `cmdCronSetup` function instructs the OpenClaw agent to set up a cron job, a powerful capability, even if the suggested payload is currently benign.
能力评估
Purpose & Capability
The SKILL.md and cli.js broadly match the stated purpose (install/update/health-check of E.x.O. packages). However the skill executes global npm installs, npx commands, and may clone private GitHub repos — yet the metadata declares no required binaries or environment variables (e.g., git, npm, or a GitHub token). That mismatch (declaring nothing required while the code needs npm/git and potentially credentials) is disproportionate and inconsistent.
Instruction Scope
Runtime instructions and the shipped cli.js instruct the agent to run arbitrary shell commands (npm install -g, npx <tool> setup, doctor commands), check/modify files under ~/.openclaw, and suggest cloning internal repos requiring GitHub access. Those actions can execute arbitrary third-party code (via npm/npx) and touch user files; the SKILL.md does not document authentication or safety boundaries (how internal repo access is obtained, or what auto-registration modifies). This expands scope beyond a simple 'installer' without clear safeguards.
Install Mechanism
There is no external install spec (skill is instruction-only) and the included code uses standard sources: npm registry and GitHub. No unusual remote download URLs or archive extraction were observed. Installing or running this CLI will invoke npm and npx which pull and execute code from package registries — normal for an installer but a real risk if you don't trust the packages being installed.
Credentials
The package expects access to private/internal GitHub repos and can send alerts (README mentions Telegram), but requires.env is empty and no primary credential is declared. The packages.json includes internal packages with localPath entries under ~/projects, which implicitly accesses user files. Requiring GitHub access and potential notification tokens without declaring them is an inconsistency and increases risk.
Persistence & Privilege
The CLI writes state to ~/.openclaw/exo-state.json and references the OpenClaw config path (~/.openclaw/openclaw.json); README and SKILL.md mention cron setup and auto-registration. The skill is not 'always:true' and does not appear to escalate privileges beyond user-level file writes, but it will persist state and may create cron jobs or modify OpenClaw config if run — consider this persistent footprint when evaluating trust.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install exo-installer - 安装完成后,直接呼叫该 Skill 的名称或使用
/exo-installer触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.4.1
Add SKILL.md and openclaw.plugin.json for ClawHub
元数据
常见问题
E.x.O. Installer 是什么?
Install, update, and monitor E.x.O. tools like jasper-recall and hopeIDS, manage OpenClaw plugins, and perform health checks with a single command. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1021 次。
如何安装 E.x.O. Installer?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install exo-installer」即可一键安装,无需额外配置。
E.x.O. Installer 是免费的吗?
是的,E.x.O. Installer 完全免费(开源免费),可自由下载、安装和使用。
E.x.O. Installer 支持哪些平台?
E.x.O. Installer 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 E.x.O. Installer?
由 emberDesire(@emberdesire)开发并维护,当前版本 v0.4.1。
推荐 Skills