← 返回 Skills 市场
minecraft-bridge
作者
en1r0py1865
· GitHub ↗
· v1.0.0
· MIT-0
319
总下载
0
收藏
2
当前安装
1
版本数
在 OpenClaw 中安装
/install minecraft-bridge
功能描述
Local HTTP bridge for Mineflayer-based live control of a Minecraft Java bot. Trigger when the user wants to connect a bot to their world, check bot status/in...
安全使用建议
This skill appears to implement what it claims (a local Mineflayer HTTP bridge) but check a few things before installing or running it: 1) Verify the bridge binds only to localhost (127.0.0.1). If bridge-server.js calls server.listen(port) without a host, it may be reachable from the network — change it to server.listen(port, '127.0.0.1') or firewall it. 2) Confirm the environment-variables list: set MC_BRIDGE_PORT, MC_VERSION, and MC_AUTH as needed (these are referenced by the code/docs but not listed in metadata). 3) Be cautious with POST /command: it forwards arbitrary slash commands; do not run this against servers where the bot has operator privileges unless you trust commands being issued. 4) start.sh will run npm install locally; review the installed package versions and consider locking them (package-lock) or auditing packages before use. 5) Run the bridge under an unprivileged user, and avoid exposing the machine's network interface to untrusted networks. If you want me to, I can inspect the remainder of bridge-server.js (the truncated part) to confirm the server.listen call and any additional network or file operations.
功能分析
Type: OpenClaw Skill
Name: minecraft-bridge
Version: 1.0.0
The bundle provides a legitimate local HTTP bridge for controlling a Mineflayer-based Minecraft bot. The code in `bridge-server.js` is well-structured, binding the API strictly to 127.0.0.1 and implementing a `BLOCKED_COMMANDS` regex to prevent the bot from being used for administrative abuse (e.g., /op, /ban). While the `/command` endpoint allows arbitrary in-game commands, the documentation in `SKILL.md` and `references/api-spec.md` explicitly warns about this risk, and there is no evidence of host-level execution, data exfiltration, or malicious prompt injection.
能力评估
Purpose & Capability
Name, description, required binary (node), and npm packages (mineflayer, mineflayer-pathfinder, vec3) align with a Mineflayer-based local bridge. The skill's files (bridge-server.js, start/stop scripts, API docs) are consistent with its claimed functionality. Minor mismatch: SKILL metadata lists MC_HOST, MC_PORT, MC_BOT_USERNAME as required, but the runtime also expects other environment variables (MC_BRIDGE_PORT, MC_VERSION, MC_AUTH) documented in config.example.json and SKILL.md.
Instruction Scope
Runtime instructions focus on starting a local HTTP bridge and calling localhost endpoints (status, move, mine, chat, command, etc.), which is within scope. Concerns: (1) The documentation repeatedly states the bridge is intended for localhost only, but the code snippet does not show an explicit bind address — if bridge-server.js calls server.listen(port) without a host, Node will typically bind to all interfaces (0.0.0.0), exposing the API to the network. Verify the server bind address in the full source. (2) /command forwards arbitrary slash commands (with some commands blocked); this is necessary for usefulness but is a high-risk capability if the bot has elevated permissions — the README warns about this, which is good.
Install Mechanism
start.sh will run 'npm install mineflayer mineflayer-pathfinder vec3' in the skill directory if the dependencies are not present. Installing npm packages from the public registry is expected here but carries the usual supply-chain risk (moderate). The install is not downloading arbitrary archives or running code from unknown URLs — it's npm, which is traceable.
Credentials
The declared required env vars (MC_HOST, MC_PORT, MC_BOT_USERNAME) are appropriate. However, the SKILL.md and config.example reference additional env vars (MC_BRIDGE_PORT, MC_VERSION, MC_AUTH) that are not listed in the metadata 'requires.env'. The skill does not request unrelated secrets (no API keys, AWS, etc.), which is good. Still: MC_AUTH may be used to select authentication mode (offline vs microsoft) — if you run against an authenticated server ensure you understand how credentials are supplied and that they are not being accidentally stored or transmitted.
Persistence & Privilege
The skill does not request always:true and does not modify other skills' configurations. It creates PID and log files under /tmp or XDG_RUNTIME_DIR and can install npm packages into the skill directory — this is normal for a local helper service. Autonomous invocation is allowed (default) but not combined with other high-risk factors here.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install minecraft-bridge - 安装完成后,直接呼叫该 Skill 的名称或使用
/minecraft-bridge触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of minecraft-bridge skill: a local HTTP bridge for live control of a Minecraft Java bot via Mineflayer.
- Enables in-game bot actions (move, mine, craft, follow, chat) and live state reads (status, inventory, position) through a REST API.
- Setup instructions included for connecting to local or LAN-hosted Minecraft Java worlds.
- Comprehensive HTTP API for real-time bot management; includes error handling and integration guidance for dependent skills.
- Distinct usage boundaries established: use only for live-game interaction, not for knowledge or server administration.
元数据
常见问题
minecraft-bridge 是什么?
Local HTTP bridge for Mineflayer-based live control of a Minecraft Java bot. Trigger when the user wants to connect a bot to their world, check bot status/in... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 319 次。
如何安装 minecraft-bridge?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install minecraft-bridge」即可一键安装,无需额外配置。
minecraft-bridge 是免费的吗?
是的,minecraft-bridge 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
minecraft-bridge 支持哪些平台?
minecraft-bridge 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 minecraft-bridge?
由 en1r0py1865(@en1r0py1865)开发并维护,当前版本 v1.0.0。
推荐 Skills