← 返回 Skills 市场
Goal Setter
作者
bytesagain1
· GitHub ↗
· v1.0.0
· MIT-0
281
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install goal-setter
功能描述
Goal Setter — Goal Setter — achieve your goals step by step. Personal daily-use tool for tracking and organizing your life. Use when you need Goal Setter cap...
使用说明 (SKILL.md)
Goal Setter
Goal Setter — achieve your goals step by step
Why This Skill?
- Designed for everyday personal use
- No external dependencies or accounts needed
- Data stored locally — your privacy, your data
- Simple commands, powerful results
Commands
set— \x3Cgoal> [deadline] Set a new goalmilestone— \x3Cgoal> \x3Cstep> Add milestone to goalprogress— \x3Cgoal> \x3Cpct> Update progress (0-100%)check— \x3Cgoal> \x3Cmilestone> Check off milestonelist— List all goalsactive— Show active goalsreview— Weekly goal reviewmotivate— Motivational quotearchive— \x3Cgoal> Archive completed goalstats— Goal statisticsinfo— Version info
Quick Start
goal_setter.sh help
Note: This is an original, independent implementation by BytesAgain. Not affiliated with or derived from any third-party project.
Powered by BytesAgain | bytesagain.com | [email protected]
安全使用建议
This skill appears to do what it says — local goal tracking — but review or patch the bundled script before trusting it. The script embeds unescaped user input into inline Python, which can cause crashes or allow code execution if goal text contains quotes, newlines, or special characters. If you want to use it: (1) run it in a safe, single-user environment; (2) back up ~/.goals before use; (3) prefer fixing the script by passing user data safely to Python (e.g., use python to read argv or stdin, or use json.dumps to serialize variables) rather than interpolating shell variables into code; (4) document GOAL_DIR usage since SKILL.md omits it. If you are not comfortable editing shell/Python, consider not installing or requesting a corrected version from the author.
功能分析
Type: OpenClaw Skill
Name: goal-setter
Version: 1.0.0
The script `scripts/goal_setter.sh` contains multiple critical code injection vulnerabilities where unsanitized shell variables (such as `$goal`, `$step`, and `$pct`) are embedded directly into Python commands executed via `python3 -c` and heredocs. This allows for arbitrary Python code execution if a user or a malicious prompt provides a crafted input string. While the tool's logic appears to align with its stated purpose of goal tracking and no evidence of intentional malice or data exfiltration was found, the high-risk nature of these vulnerabilities warrants a suspicious classification.
能力评估
Purpose & Capability
Name/description match the included functionality: a local goal tracker that stores data under $HOME/.goals. The script requires only bash and python3 (SKILL.md lists python3 runtime), and there are no unexpected network calls or third-party credentials. Minor mismatch: SKILL.md states 'no environment variables required' but the script honors an optional GOAL_DIR env var to change storage location.
Instruction Scope
The runtime instructions and the shipped script remain within the stated purpose (creating/updating a local JSON goals DB). However the script builds Python code by directly interpolating shell variables (e.g., $goal, $deadline, $pct) into python -c / heredoc blocks without escaping. This is fragile and dangerous: specially crafted goal text (quotes, newlines, or Python tokens) can break the Python snippets or be used to inject/execute arbitrary Python. Example problems: unquoted $deadline inserted into a Python 'if' expression can cause syntax errors or unexpected evaluation; single quotes inside a goal can break string literals. This is a code-injection / code-execution risk for the local user context and could also lead to data corruption. The SKILL.md suggests local-only storage and privacy, but the script's unescaped interpolation undermines safe handling of user-provided strings.
Install Mechanism
No install spec is provided (instruction-only with bundled script), so nothing is downloaded or executed at install time. This keeps install risk low. The only runtime dependency is python3 which the SKILL.md already declares.
Credentials
The skill declares no required environment variables, which matches its simple local design. The script, however, honors GOAL_DIR if present (defaults to $HOME/.goals). This is a reasonable, limited opt-in override but should be documented in SKILL.md. No credentials or unrelated env vars are requested.
Persistence & Privilege
The skill does not request system-wide privileges and is not always-enabled. It writes data only to a per-user directory (default $HOME/.goals or GOAL_DIR). It does not modify other skills or global agent settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install goal-setter - 安装完成后,直接呼叫该 Skill 的名称或使用
/goal-setter触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release
元数据
常见问题
Goal Setter 是什么?
Goal Setter — Goal Setter — achieve your goals step by step. Personal daily-use tool for tracking and organizing your life. Use when you need Goal Setter cap... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 281 次。
如何安装 Goal Setter?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install goal-setter」即可一键安装,无需额外配置。
Goal Setter 是免费的吗?
是的,Goal Setter 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Goal Setter 支持哪些平台?
Goal Setter 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Goal Setter?
由 bytesagain1(@bytesagain1)开发并维护,当前版本 v1.0.0。
推荐 Skills