← 返回 Skills 市场
wynnsu

Magic Quill

作者 Yong · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
631
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install magic-quill
功能描述
Generate YAML spell mapping files for OpenClaw Spellbook themed by a topic or URL, using dynamic spell-list discovery and heuristic fallback.
使用说明 (SKILL.md)

Magic Quill

A magical quill that inscribes themed spell mappings for OpenClaw Spellbook with high coverage for popular skills.

Inputs

  • --topic \x3Cname> or --url \x3Chttps://...> (primary inputs; spell-list lookup searches by topic/theme first, and --url is treated as a high-priority reference candidate when provided)
  • Optional --theme \x3Cname> to override the final theme name (or run heuristic-only mode with just --theme)
  • Optional --out \x3Cpath> (alias: --output) (default: spells/\x3Ctheme-slug>.yaml)
  • Optional --limit \x3Cn> (alias: --top) for top-N coverage (default: 50)
  • Optional --author \x3Cname> (default: @magic-quill)

What To Do

  1. Gather popular skills from both sources when possible:
    • skills.sh trending installs
    • ClawHub downloads API endpoint
  2. Merge and de-duplicate the results into a target set (fill gaps from built-in fallback skills if fetch fails).
  3. Gather spell-list references first (primary spell source):
    • Build dynamic web search queries from topic/theme (for example \x3Ctopic> spell list and \x3Ctopic> spells api)
    • Parse top search result links (DuckDuckGo HTML results) into candidate reference URLs
    • Include --url as a high-priority candidate when present
    • Fetch discovered JSON/HTML references (for example dnd5eapi.co if discovered), extract spell names, and merge/de-duplicate names from successful references
  4. Gather lore/context (secondary style keywords only):
    • If --url is provided, fetch and extract page text
    • Else if --topic is provided, try Wikipedia summary API
    • If fetch fails, use built-in theme lexicon/heuristics
  5. If spell-list references fail or do not produce enough names, generate spell mappings with the built-in heuristic spell-name generator.
  6. Write YAML to the requested output path (usually under spells/), including # spell-list-references: comment links for successful dynamically discovered spell-list sources/endpoints when available.
  7. Validate with npm run validate:spells if the output file is under spells/.

Commands (Users)

npm run generate:spellbook-theme -- --theme "Studio Ghibli" --limit 50 --author "@you"
npm run generate:spellbook-theme -- --topic "Cyberpunk 2077" --limit 75 --out spells/cyberpunk-2077.yaml --author "@you"
npm run generate:spellbook-theme -- --url "https://en.wikipedia.org/wiki/The_Lord_of_the_Rings" --limit 50 --author "@you"
npm run generate:spellbook-theme -- --topic "DnD 5e" --limit 20 --author "@you"

Commands (Agents)

node magic-quill/scripts/generate-spell-mapping.mjs --theme "The Legend of Zelda" --topic "The Legend of Zelda" --limit 50 --out spells/zelda.yaml --author "@example"
node scripts/validate-spells.mjs

Install From This Repo (Subpath)

Use a repo subpath source with npx skills add, for example:

npx skills add wynnsu/openclaw-spellbook/magic-quill

⚠️ Requires Hook for Use

This skill generates spell YAML mapping files — to actually use the themed spells in agent sessions, you need the openclaw-spellbook hook installed. Install the full spellbook package:

# Install the spellbook hook (includes magic-quill skill)
npx skills add wynnsu/openclaw-spellbook

Or install just the hook directly from the repo:

npx skills add wynnsu/openclaw-spellbook/hooks/spellbook

The hook handles the translation between magical spell names and actual skill IDs at runtime.

Usage after install (example prompt):

Use magic-quill to create a Star Wars spell mapping with top 50 coverage and write it to spells/star-wars.yaml.
安全使用建议
What to consider before installing/running Magic Quill: - Inspect the generator script (scripts/generate-spell-mapping.mjs) fully before running. The script will fetch web pages, parse JSON/HTML, follow links, and write YAML files; ensure there are no hidden outbound endpoints or obfuscated behavior. - The SKILL.md triggered a unicode-control-chars heuristic. That can hide text or behavior from casual reviewers — open the raw SKILL.md and the script in a plain text editor, search for control characters, and remove or understand them. - Network behavior: the tool performs dynamic web searches and will fetch arbitrary discovered URLs and any --url you provide. If you run it, consider doing so in an environment with controlled network access (or offline) until you trust it. - Review generated YAML before using it with the openclaw-spellbook hook. The fallback/popular-skills list includes powerful/destructive skill IDs (delete-file, kill-process, kubectl-apply, terraform-apply, etc.). If the generator maps those to easy-to-invoke spell names, an agent using that spellbook could execute destructive actions. Manually vet or sanitize the mapping (remove or rename high-risk mappings) before enabling them in an agent environment. - Validate locally: run the generation with --out pointing to a safe directory (not your live project), review the output, and run the npm validation step in a sandbox. Do not auto-install or auto-enable the spellbook hook until you have reviewed artifact contents. - If you need stronger assurance, request the full source of the external endpoints the script calls (skills.sh, ClawHub) or run the script with network monitoring to see what hosts are contacted. Given the prompt-injection signal and the potentially wide-reaching consequences of the generated mappings, proceed only after manual review and with network/file safeguards in place.
功能分析
Type: OpenClaw Skill Name: magic-quill Version: 1.0.0 The skill is classified as suspicious due to several vulnerabilities. The `scripts/generate-spell-mapping.mjs` script allows for arbitrary file writes via the `--out` argument, which uses `path.resolve` without sanitization, enabling path traversal. Additionally, the skill performs Server-Side Request Forgery (SSRF) by fetching content from user-provided URLs (`--url`) and dynamically discovered URLs (via DuckDuckGo searches and recursive link following in `fetchSpellListReference` and `fetchLoreFromUrl` functions), without validating against internal network access. While these are significant risks, there is no evidence of intentional malicious behavior like data exfiltration or persistence mechanisms.
能力评估
Purpose & Capability
The name/description (generate themed OpenClaw Spellbook YAML mappings) matches the included SKILL.md and the script file: the skill discovers spell lists, fetches pages, synthesizes names, and writes YAML. Including a built-in list of popular skills (used as fallbacks) is consistent with its goal to provide broad coverage. That fallback list however includes high-privilege/dangerous skill IDs (e.g., delete-file, kill-process, kubectl-apply, terraform-apply), which is coherent for a 'popular-skills' fallback but may be surprising to non-technical users and expands the potential impact of generated mappings.
Instruction Scope
Runtime instructions ask the agent to perform web searches (parse DuckDuckGo HTML), fetch arbitrary discovered URLs and a user-supplied --url, follow links up to depth, extract JSON/HTML content, merge names, and then write YAML under spells/. This gives the skill broad discretion to contact many external hosts (including ones discovered dynamically) and to read/parse arbitrary pages. The SKILL.md also triggered a pre-scan 'unicode-control-chars' prompt-injection pattern — that could be used to hide content or manipulate parsers. Additionally, because the fallback skill list contains destructive operations, the generated YAML may map benign-sounding spell names to actions that can perform destructive changes if later used by an agent.
Install Mechanism
There is no install spec (instruction-only), which is lower-risk in that nothing is automatically downloaded at install time. However, the repo includes an executable Node script (scripts/generate-spell-mapping.mjs) which will be executed by the agent when invoked; that script does filesystem writes and network fetches. Because execution is manual/agent-driven rather than an automatic remote download, the install risk is moderate but requires reviewing the script before running.
Credentials
The skill asks for no environment variables or credentials, which is proportionate. That said, it references external resources (skills.sh trending installs, ClawHub downloads API, DuckDuckGo, Wikipedia) without declaring required credentials — likely they are public endpoints, but the SKILL.md doesn't document expected endpoints or failure modes. The script will read/write files (spells/), and may fetch arbitrary hosts, so network access is the main capability requested; no hidden credential requests were declared, which is appropriate but leaves some uncertainty about how external APIs are used.
Persistence & Privilege
always is false and the skill is user-invocable — no elevated persistence requested. The script writes files to the project's spells/ directory (expected behavior). Be aware: writing new spell mapping YAML that maps to powerful skill IDs can effectively enable those operations when the openclaw-spellbook hook is installed, so the write operation has security implications even though the skill itself doesn't request persistent platform privileges.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install magic-quill
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /magic-quill 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Generate themed spell YAML mappings with dynamic spell-list discovery. Requires openclaw-spellbook hook to use generated spells in agent sessions.
元数据
Slug magic-quill
版本 1.0.0
许可证
累计安装 0
当前安装数 0
历史版本数 1
常见问题

Magic Quill 是什么?

Generate YAML spell mapping files for OpenClaw Spellbook themed by a topic or URL, using dynamic spell-list discovery and heuristic fallback. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 631 次。

如何安装 Magic Quill?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install magic-quill」即可一键安装,无需额外配置。

Magic Quill 是免费的吗?

是的,Magic Quill 完全免费(开源免费),可自由下载、安装和使用。

Magic Quill 支持哪些平台?

Magic Quill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Magic Quill?

由 Yong(@wynnsu)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论