← 返回 Skills 市场
Mml
作者
honeybee1130
· GitHub ↗
· v1.0.0
502
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install mml
功能描述
Build 3D scenes and interactive experiences using MML (Metaverse Markup Language) for the Otherside metaverse and other MML-compatible environments. Use when...
安全使用建议
This skill is basically documentation for MML and appears internally consistent with that purpose. Before using or deploying MML content produced with it, consider: (1) inline <script> and event handlers allow arbitrary JavaScript in the renderer — review and sanitize any scripts to avoid data exfiltration, unauthorized network calls, or malicious logic; (2) m-frame and remote src attributes can fetch arbitrary remote resources (models, audio, video, MML docs) — avoid loading untrusted hosts and check CORS/sandboxing; (3) m-position-probe and m-chat-probe expose user presence/chat data — only use with explicit user consent and in trusted environments; (4) the SKILL.md references a local compiled reference path and the skill has no provenance/homepage — if provenance matters, ask the publisher for source or prefer an official reference. If you plan to render scenes in a shared or production environment, test in an isolated environment first and ensure the client renderer applies appropriate sandboxing and network restrictions.
功能分析
Type: OpenClaw Skill
Name: mml
Version: 1.0.0
The skill is classified as suspicious due to a prompt injection vector in `SKILL.md` that instructs the AI agent to read a local file (`/home/ubuntu/.openclaw/workspace/research/mml-reference.md`). While this specific instruction is for a benign documentation file, it demonstrates the agent's susceptibility to file access commands via prompt injection. Additionally, the MML language itself, as described in `SKILL.md` and `references/elements.md`, supports client-side JavaScript execution via `<script>` tags and `on*` attributes, and allows loading external resources (models, images, videos, other MML documents) from arbitrary URIs. These capabilities, while core to MML's design, represent a significant attack surface for potential XSS, SSRF, or content injection if the agent were to process or generate MML from untrusted input, or if the rendering environment is not properly secured.
能力评估
Purpose & Capability
The name/description (building MML scenes) align with the provided SKILL.md and references. Required env vars/binaries/install steps are absent as expected for a documentation/instruction-only skill.
Instruction Scope
SKILL.md is a full language/reference and includes examples that use inline <script> (DOM APIs), event handlers, m-frame embedding, remote src URIs (models, audio, video), and probes that expose nearby user positions/chat. Those capabilities are expected for a scene-building language, but they allow arbitrary client-side JS and remote fetches — a runtime concern (privacy/exfiltration) outside the skill itself.
Install Mechanism
No install spec and no code files — lowest-risk delivery. Nothing is downloaded or written to disk by the skill itself.
Credentials
No environment variables, credentials, or config paths are requested. The declared requirements are proportional to a documentation-only skill.
Persistence & Privilege
always is false and autonomous model invocation is default. The skill does not request persistent presence or modify other skills/configuration.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install mml - 安装完成后,直接呼叫该 Skill 的名称或使用
/mml触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release
元数据
常见问题
Mml 是什么?
Build 3D scenes and interactive experiences using MML (Metaverse Markup Language) for the Otherside metaverse and other MML-compatible environments. Use when... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 502 次。
如何安装 Mml?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install mml」即可一键安装,无需额外配置。
Mml 是免费的吗?
是的,Mml 完全免费(开源免费),可自由下载、安装和使用。
Mml 支持哪些平台?
Mml 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Mml?
由 honeybee1130(@honeybee1130)开发并维护,当前版本 v1.0.0。
推荐 Skills