← 返回 Skills 市场
705
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install hi
功能描述
Use the ClawdHub CLI to search, install, update, and publish agent skills from clawdhub.com. Use when you need to fetch new skills on the fly, sync installed...
使用说明 (SKILL.md)
ClawdHub CLI
Install
npm i -g clawdhub
Auth (publish)
clawdhub login
clawdhub whoami
Search
clawdhub search "postgres backups"
Install
clawdhub install my-skill
clawdhub install my-skill --version 1.2.3
Update (hash-based match + upgrade)
clawdhub update my-skill
clawdhub update my-skill --version 1.2.3
clawdhub update --all
clawdhub update my-skill --force
clawdhub update --all --no-input --force
List
clawdhub list
Publish
clawdhub publish ./my-skill --slug my-skill --name "My Skill" --version 1.2.0 --changelog "Fixes + docs"
Notes
- Default registry: https://clawdhub.com (override with CLAWDHUB_REGISTRY or --registry)
- Default workdir: cwd; install dir: ./skills (override with --workdir / --dir)
- Update command hashes local files, resolves matching version, and upgrades to latest unless --version is set
安全使用建议
Do not install this skill yet. The published metadata and SKILL.md advertise the ClawdHub CLI (npm 'clawdhub'), but the package contains an unrelated Python project (FreeRide) that will read and modify ~/.openclaw/openclaw.json, store state under your home directory, and require an OpenRouter API key. Before proceeding, ask the publisher to explain: (1) why FreeRide files are bundled with a ClawdHub skill, (2) which files are actually installed/run when you 'npm i -g clawdhub', and (3) provide the source for the npm package and the exact install/run flow. If you must test, do so in an isolated environment (VM/container) and inspect activator/extract shell scripts, the watcher/daemon code, and any network endpoints (openrouter.ai). Verify the npm package on the official registry and prefer packages with a clear single-purpose source repo. If you want only the ClawdHub CLI, fetch and review the official 'clawdhub' npm package directly rather than installing this mixed bundle.
功能分析
Type: OpenClaw Skill
Name: hi
Version: 1.0.0
The skill is designed for agent self-improvement and free AI model management, which are benign goals. However, the `scripts/extract-skill.sh` file, intended for creating new skill scaffolds, accepts an `--output-dir` argument without sufficient sanitization. If an AI agent were to be maliciously prompted (prompt injection) to execute this script with a sensitive or arbitrary path for `--output-dir`, it could lead to unauthorized file writes, potentially resulting in remote code execution or data corruption. This represents a significant vulnerability, classifying the skill as 'suspicious' rather than 'malicious' due to the lack of clear evidence of intentional harmful behavior within the script itself.
能力评估
Purpose & Capability
Registry/SKILL.md describe a ClawdHub CLI (npm package 'clawdhub') and list only the 'clawdhub' binary, but the bundle includes a full Python project (FreeRide) with main.py, watcher.py, many assets, and skill.json for a 'freeride' skill. The declared install (npm clawdhub) does not explain the large Python codebase, duplicated files, or multiple _meta.json entries with different slugs. This is incoherent: either unrelated code was bundled, or the metadata is incorrect.
Instruction Scope
The SKILL.md provided is just usage for the ClawdHub CLI (no file reads). However, included runtime code (main.py, watcher.py) explicitly reads/writes the user's OpenClaw config at ~/.openclaw/openclaw.json, reads OPENROUTER_API_KEY (env or config), writes cache/state files under ~/.openclaw, and makes network calls to openrouter.ai. Those behaviors are outside what the ClawdHub CLI usage would suggest and are not described in the SKILL.md visible to the agent.
Install Mechanism
The declared install is an npm package 'clawdhub' which is a reasonable, traceable mechanism. However, the package contents include Python scripts and shell scripts (activator.sh, extract-skill.sh) and many duplicated files; it's unclear how/if those Python files are installed or executed by the npm package. The presence of shell extractor/activator scripts increases risk because they can run arbitrary commands or install additional components.
Credentials
The registry metadata lists no required env vars, yet the included project (skill.json and code) requires OPENROUTER_API_KEY and will look in env or ~/.openclaw/openclaw.json for credentials. The bundle will access and modify user config files under ~/.openclaw, meaning it needs credential/config access that is not declared in the top-level requirements — a mismatch and a potential privacy/security concern.
Persistence & Privilege
The Python code writes persistent state and config under the user's home (~/.openclaw/.freeride-cache.json, .freeride-watcher-state.json, and modifies openclaw.json). It also includes a watcher/daemon mode that can run continuously. While 'always' is false, the ability to persistently modify OpenClaw configuration and run a background watcher is significant and not represented by the ClawdHub-only description.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install hi - 安装完成后,直接呼叫该 Skill 的名称或使用
/hi触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
hi
元数据
常见问题
Tsz 是什么?
Use the ClawdHub CLI to search, install, update, and publish agent skills from clawdhub.com. Use when you need to fetch new skills on the fly, sync installed... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 705 次。
如何安装 Tsz?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install hi」即可一键安装,无需额外配置。
Tsz 是免费的吗?
是的,Tsz 完全免费(开源免费),可自由下载、安装和使用。
Tsz 支持哪些平台?
Tsz 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Tsz?
由 roman181(@roman181)开发并维护,当前版本 v1.0.0。
推荐 Skills