← 返回 Skills 市场

Pipelinegate

Name: Pipelinegate
Author: mirni

作者 mirni · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

总下载

当前安装

版本数

在 OpenClaw 中安装

/install gh-pipelinegate

功能描述

Chain Green Helix tools into multi-step pipelines. Define a sequence of steps (scan-text, scan-skill, check-scope, validate, diff, check-env, convert) and Pi...

使用说明 (SKILL.md)

PipelineGate

Chain multiple tools into a single pipeline call.

Start the server

uvicorn pipelinegate.app:app --port 8011

Run a security pipeline

curl -s -X POST http://localhost:8011/v1/run \
  -H "Content-Type: application/json" \
  -d '{
    "steps": [
      {"tool": "scan-text", "input": {"text": "Check this text"}},
      {"tool": "scan-skill", "input": {"skill_content": "---\
name: test\
---\
Hello"}},
      {"tool": "check-scope", "input": {"skill_content": "---\
name: test\
---\
Hello"}}
    ]
  }' | jq

Returns success (all steps passed), total_steps, completed_steps, and results (output per step).

Available tools

curl -s http://localhost:8011/v1/tools | jq '.tools[] | "\(.name): \(.description)"' -r

Tools: scan-text, scan-skill, check-scope, validate, diff, check-env, convert.

Error handling

By default, the pipeline stops on the first error. Set "stop_on_error": false to continue:

curl -s -X POST http://localhost:8011/v1/run \
  -H "Content-Type: application/json" \
  -d '{"steps": [{"tool": "scan-text", "input": {"text": "hi"}}], "stop_on_error": false}' | jq

安全使用建议

This skill appears to implement the pipeline functionality it claims, but review these points before installing or exposing it: - Local server and environment probing: The server exposes a /v1/run API that can invoke a 'check-env' step which checks for the existence of supplied environment variable names (it returns which names are present or missing). While it doesn't return secret values, this lets callers probe the host environment. Run the server only on localhost or behind an access control mechanism and avoid exposing it to untrusted networks. - Dependency and install mismatch: SKILL.md requests pip packages (fastapi, uvicorn, pydantic, pyyaml, jsonschema). Registry metadata shows an unusual 'uv' id/kind; confirm your install system maps that to pip. The code also imports internal 'products.*' modules that must exist in your environment; otherwise the service will fail. Review/confirm availability of those product libraries. - Minor functional inconsistencies: The tools registry description claims conversion includes TOML but exec_convert only supports JSON and YAML; the SKILL.md doesn't state the 'check-env' probing explicitly. These are implementation mismatches (likely bugs) — confirm behavior before relying on the tool. - Run safely: If you test it, run in an isolated environment (container or VM) and bind uvicorn to 127.0.0.1. Inspect logs and network exposure. If you need to allow remote access, add authentication or restrict access to trusted hosts. If you want, I can point out the exact lines where environment probing and the JSON/YAML/TOML mismatch occur, or produce a minimal wrapper that starts the server bound to localhost only.

功能分析

Type: OpenClaw Skill Name: gh-pipelinegate Version: 1.0.0 The gh-pipelinegate skill bundle implements a FastAPI-based orchestration engine for running security-related analysis tools in sequence. The code provides functionality for scanning text for injections, validating JSON schemas, diffing content, and checking for the presence of required environment variables or binaries (without leaking their values). The implementation uses safe practices such as yaml.safe_load and limits its environment checks to existence verification, showing no signs of malicious intent, data exfiltration, or unauthorized execution.

能力评估

ℹ Purpose & Capability

Name/description align with the code: this is a local pipeline engine that calls existing 'products.*' detectors and extractors. However, the skill imports several internal product modules (products.promptguard, products.skillscan, products.scopecheck) which are external dependencies not declared in SKILL.md or registry metadata; if those modules are missing the service will fail. Overall capabilities are coherent with the description but rely on internal product libraries.

ℹ Instruction Scope

SKILL.md instructs launching a uvicorn API and POSTing step payloads — consistent with the FastAPI app. The code implements expected tools, but there are subtle scope items: the 'check-env' tool programmatically inspects the host process environment (os.environ) and reports which requested env var names are present/absent; SKILL.md does not explicitly call out that probing behavior. The 'check-scope' tool returns detected filesystem paths and network URLs extracted from provided SKILL.md content (it does not itself read files or access network resources).

ℹ Install Mechanism

SKILL.md metadata shows a pip-style install of common Python packages (fastapi, uvicorn, pydantic, pyyaml, jsonschema). Registry install shows an id/kind 'uv' which is unusual but the SKILL.md itself lists pip packages. Installing via pip from PyPI is expected for a Python web app (moderate risk) but requires network access and will write packages to disk. No arbitrary URL downloads or extract-from-unknown-host signs were observed.

⚠ Credentials

The skill declares no required env vars, yet the code can inspect os.environ when you invoke the 'check-env' tool and will report which requested variable names are present. That lets callers probe whether specific environment variables exist on the host (it does not return variable values, only presence). Because the service opens an HTTP API, if that API is reachable by others it could be used to remotely probe which env names exist on the host. This capability is functionally related to a 'check-env' tool but represents a potential information-leak risk and should be documented and constrained.

✓ Persistence & Privilege

The skill does not request persistent/autoload privileges (always:false). It does not modify other skills' configs or system-wide settings. It runs as a local web server when started by the user; its runtime privileges are the privileges of the user running the process.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install gh-pipelinegate
安装完成后，直接呼叫该 Skill 的名称或使用 /gh-pipelinegate 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of gh-pipelinegate. - Enables chaining of Green Helix tools into configurable pipelines. - Supports step sequencing, with options to stop on error or continue on failure. - REST API to run pipelines and list available tools. - Tools supported: scan-text, scan-skill, check-scope, validate, diff, check-env, convert. - Returns detailed results for each pipeline step.

元数据

Slug gh-pipelinegate

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题

Pipelinegate 是什么？

Chain Green Helix tools into multi-step pipelines. Define a sequence of steps (scan-text, scan-skill, check-scope, validate, diff, check-env, convert) and Pi... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 80 次。

如何安装 Pipelinegate？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install gh-pipelinegate」即可一键安装，无需额外配置。

Pipelinegate 是免费的吗？

是的，Pipelinegate 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Pipelinegate 支持哪些平台？

Pipelinegate 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Pipelinegate？

由 mirni（@mirni）开发并维护，当前版本 v1.0.0。