← 返回 Skills 市场

Install Shared Skill

Name: Install Shared Skill
Author: shifulegend

作者 ssshhh · GitHub ↗ · v0.1.2

cross-platform ⚠ suspicious

370

总下载

当前安装

版本数

在 OpenClaw 中安装

/install install-shared-skill

功能描述

Install OpenClaw skills at the local/system level so they are shared by all agents. Uses the clawhub CLI to fetch and install skills into the global OpenClaw...

使用说明 (SKILL.md)

Shared Skill Installer (ClawHub)

Tool: install_skill

Install a skill using the clawhub CLI.

Parameters:

skill_name (string, required): The name of the skill to install

Behavior:

Executes: clawhub install \x3Cskill_name> --workdir ./
Returns the raw terminal output (stdout + stderr) as the tool result
Non-zero exit codes are captured and returned as part of the output

Example usage:

/install_skill nano-pdf

This runs: clawhub install nano-pdf --workdir ./

Tool: install_shared_skill

Alias of install_skill — identical functionality.

Parameters:

skill_name (string, required): The name of the skill to install

Behavior:

Executes: clawhub install \x3Cskill_name> --workdir ./
Returns the raw terminal output (stdout + stderr) as the tool result

Example usage:

/install_shared_skill nano-pdf

This runs: clawhub install nano-pdf --workdir ./

安全使用建议

Key things to consider before installing: (1) Verify you actually have and trust the `clawhub` CLI on the host; the skill will run it but does not declare that dependency. (2) The code uses string-based shell execution with the provided skill_name; if the agent or a user can supply a crafted skill name, that can lead to command injection (e.g., names containing `;` or `&&`). Prefer a version that spawns the command with arguments (no shell) or validates/whitelists skill names. (3) The skill advertises 'shared/system' installs but the implementation uses the current workspace (OPENCLAW_WORKSPACE or cwd) — expect it to be workspace-scoped unless you inspect/modify the code. (4) Because the agent can invoke this tool autonomously, consider disabling autonomous invocation for this skill or require human confirmation for install actions. (5) If you still want to use it, review or replace the helper scripts so they call `execFile`/spawn with separate args, explicitly require or validate the `clawhub` path, and avoid using undeclared environment variables.

功能分析

Type: OpenClaw Skill Name: install-shared-skill Version: 0.1.2 The skill bundle contains a critical command injection vulnerability in both tools/install_skill.js and tools/install_shared_skill.js. The code uses child_process.exec to run a shell command constructed with unsanitized input from the skill_name parameter, allowing for arbitrary remote code execution (RCE). While the tool's stated purpose is to facilitate skill installation via the clawhub CLI, the lack of input validation makes it highly dangerous.

能力评估

⚠ Purpose & Capability

The skill is named and described as installing skills at the local/system (shared) level, but both SKILL.md and the tools run `clawhub install <skill_name> --workdir ./` in the current workspace (or OPENCLAW_WORKSPACE). That behavior installs into a working directory, not necessarily a global/system-wide location. Additionally, the skill calls the external `clawhub` CLI but the manifest declares no required binaries — this is an undeclared runtime dependency.

⚠ Instruction Scope

The tool implementations build a single-shell command string and call child_process.exec with the raw skill_name interpolated: `clawhub install ${skillName} --workdir ./`. There is no validation/sanitization of skill_name, so a crafted skill_name could inject arbitrary shell commands. The scripts also read process.env.OPENCLAW_WORKSPACE for cwd (an environment variable that was not declared in requires.env). The instructions otherwise do not read unrelated files or post data externally.

✓ Install Mechanism

This is an instruction-only skill with small included Node.js helper scripts; there is no external download or archive extraction. Nothing in the install spec writes arbitrary content to disk beyond executing the local clawhub CLI. That is lower-risk than arbitrary remote downloads, but it still depends on an external CLI being present and trusted.

⚠ Credentials

No credentials or environment variables are declared, yet the tool code reads OPENCLAW_WORKSPACE to set the working directory and implicitly relies on the system PATH to find `clawhub`. The skill therefore accesses an undeclared env var and an undeclared binary dependency. While no secrets are requested, the undeclared env/binary usage is disproportionate to the manifest.

ℹ Persistence & Privilege

always is false and the skill does not request permanent platform-wide privileges. However, because the skill can be invoked by the agent (disable-model-invocation is false by default) and it executes shell commands with unsanitized input, autonomous invocation increases the blast radius. The skill also claims to perform a global/shared install but in practice uses the current workspace, so it does not actually require elevated persistence.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install install-shared-skill
安装完成后，直接呼叫该 Skill 的名称或使用 /install-shared-skill 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v0.1.2

fix: use exact command clawhub install <skill> --workdir ./

v0.1.1

docs: add user-invocable metadata to frontmatter

v0.1.0

Initial release: system-level skill installer using clawhub

元数据

Slug install-shared-skill

版本 0.1.2

许可证 —

累计安装 1

当前安装数 1

历史版本数 3

常见问题