功能描述

Fetch and install C++ tools/libraries from cpp_tools repository. Use when users need to download or clone third-party C++ libraries such as eigen, opencv, pc...

使用说明 (SKILL.md)

Pywayne Bin Gettool

Name: Pywayne Bin Gettool
Author: wangyendt

Tool fetcher for C++ libraries from cpp_tools repository. Supports sparse checkout, optional building with CMake/make, and installation scripts.

Quick Start

# List all supported tools
gettool -l

# Fetch a tool to default path (based on name_to_path_map.yaml)
gettool \x3Ctool_name>

# Fetch to specific path
gettool \x3Ctool_name> -t \x3Ctarget_path>

# Fetch and build (if buildable)
gettool \x3Ctool_name> -b

# Fetch and install (if installable)
gettool \x3Ctool_name> -i

Usage Patterns

1. List Available Tools

When user wants to see what tools are available:

gettool -l

2. Simple Fetch

Download tool source code to default path (determined by name_to_path_map.yaml in current directory):

gettool opencv
gettool eigen

3. Fetch with Custom Target

Download tool to a specific directory:

gettool opencv -t third_party/opencv
gettool eigen -t external/eigen

4. Build from Source

Build the tool using CMake and make. Requirements:

Tool must be marked as buildable: true in name_to_path_map.yaml
Tool must have a CMakeLists.txt file
Build output (lib/) is copied to target directory

gettool apriltag_detection -b
gettool \x3Ctool_name> -b -t build/\x3Ctool_name>

5. Clean Copy (src + include only)

Fetch only src/ and include/ directories if they exist:

gettool eigen -c

6. Fetch and Install

After fetching, execute the tool's installation script (if configured):

gettool pcl -i
gettool pcl -i --global-install-flag true  # Use sudo make install

7. Fetch Specific Version

Check out a specific version/tag/branch (only works for tools that are submodules):

gettool fmt -v 9.1.0

8. Manage Repository URL

# Show current URL
gettool --get-url

# Set custom URL
gettool --set-url \x3CURL>

# Reset to default URL
gettool --reset-url

Command Reference

Argument	Description
`\x3Cname>` or `-n \x3Cname>`	Tool name from name_to_path_map.yaml
`-t \x3Cpath>`	Target output directory (default: based on mapping)
`-b` / `--build`	Build using CMake + make (if buildable)
`-c` / `--clean`	Copy only src/include directories
`-v \x3Cversion>`	Checkout specific version (submodules only)
`-i` / `--install`	Run installation script (if installable)
`--global-install-flag`	Set to `true` for sudo make install
`-l` / `--list`	List all supported tools
`--get-url`	Show current repository URL
`--set-url \x3CURL>`	Set repository URL
`--reset-url`	Reset to default URL

Tool Types and Behavior

Submodule Tools

Cloned as full independent repositories
Support -v for version checkout
Not built via CMake (use -b for source-level build if configured)

Non-Submodule Tools (Sparse Checkout)

Fetched via git sparse-checkout from cpp_tools repo
Can be built with -b (requires buildable=true and CMakeLists.txt)
Build output (lib/) copied to target directory

Default Path Mapping

When -t is not specified, the target path is determined by the path field in name_to_path_map.yaml relative to the current working directory.

Example: If opencv maps to third_party/opencv, running gettool opencv creates ./third_party/opencv.

Prerequisites

Git
CMake and make (for -b flag)
Appropriate C++ toolchain (for building)
Write permissions for target directory

Common Tool Names

Typical tools available (run gettool -l for current list):

eigen - Linear algebra library
opencv - Computer vision library
pcl - Point Cloud Library
fmt - Formatting library
apriltag_detection - AprilTag detection
spdlog - Fast C++ logging library

安全使用建议

This skill is instruction-only but describes a CLI (`gettool`) and build/install actions it does not provide or declare. Before installing or enabling it: 1) Verify whether a trusted `gettool` binary actually exists on your system or where it comes from; the skill bundle does not include or install it. 2) Do not allow the agent to run installs with `--global-install-flag`/sudo unless you trust the repository and have inspected the installation scripts. 3) Confirm the default `cpp_tools` repository URL and review any third-party code before fetching/building. 4) If you want to use this functionality, prefer a version that includes an install spec or points to an auditable, official release (e.g., GitHub releases) and explicitly declares required binaries (git, cmake, make). If you cannot verify the origin or contents of downloaded repositories, treat this skill as risky and run such fetch/build steps manually in a sandbox.

功能分析

Type: OpenClaw Skill Name: gettool Version: 0.1.0 The `gettool` skill bundle is highly suspicious due to several critical vulnerabilities that enable remote code execution (RCE), arbitrary file writes, and privilege escalation. Specifically, the `--set-url <URL>` argument allows an attacker to point the agent to a malicious Git repository. Subsequently, the `-b` (build) or `-i` (install) flags would execute arbitrary code from this repository, leading to RCE. Furthermore, the `-t <path>` argument allows writing fetched content to arbitrary file system locations, and the `--global-install-flag` explicitly supports `sudo make install`, posing a privilege escalation risk. While the `SKILL.md` itself does not contain explicit prompt injection for self-exploitation, the described capabilities are extremely risky and easily exploitable by a malicious user interacting with the agent.

能力评估

⚠ Purpose & Capability

The skill's stated purpose is to fetch and install C++ libraries via a `gettool` CLI that talks to a `cpp_tools` repository. However, the package contains no code, no install specification, and the registry metadata does not declare `gettool`, `git`, `cmake`, or `make` as required binaries. A genuine CLI helper would normally either include the tool, provide an install step, or at minimum declare the binaries it expects — that mismatch is a coherence problem.

⚠ Instruction Scope

SKILL.md tells the agent to run commands that perform network fetches, git sparse-checkout, builds (CMake/make), and installation scripts (optionally with sudo). It assumes presence of a local name_to_path_map.yaml and allows setting an arbitrary repository URL. Those instructions can cause network downloads and execution of third-party install scripts, and they presume binaries and files that the skill did not declare. The instructions do not constrain which repo URLs are allowed, nor do they require verification of downloaded code.

ℹ Install Mechanism

There is no install spec — this is instruction-only. That minimizes what is written by the skill itself, but it also means the skill only tells the agent to run external commands rather than providing a vetted implementation. The absence of an install step is internally inconsistent with a CLI-driven skill unless the platform already guarantees `gettool` exists, which is not documented.

ℹ Credentials

The skill requests no environment variables or credentials, which is appropriate. However, because it lets the user/setter change the repository URL and run arbitrary install scripts, network access and filesystem write permissions are implicit requirements. Those are not declared; the skill could cause the agent to fetch and run untrusted code without any credential checks.

⚠ Persistence & Privilege

The skill does not request permanent inclusion (always:false) and allows autonomous invocation (default), which is normal. But the instructions explicitly describe running installation scripts and a `--global-install-flag` that triggers `sudo make install`. That combination — autonomous invocation plus instructions that may escalate to privileged system installs — increases risk if the agent is allowed to act without human supervision.

版本历史

v0.1.0

Initial public release of pywayne-bin-gettool. - Fetch and install C++ tools/libraries (e.g., eigen, opencv, pcl, fmt) from cpp_tools repository. - Supports listing, fetching, and cloning tools; optional building (with CMake/make) and installation scripts. - Allows custom target paths, clean copy (src/include only), and fetching specific versions/tags (for submodules). - Includes management of cpp_tools repository URL. - Command-line interface with flags for all key operations.

元数据

Slug gettool

版本 0.1.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题