← 返回 Skills 市场
Movi Review-First Bundle
作者
Yifeng[Terry] Yu
· GitHub ↗
· v1.0.0
· MIT-0
74
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install movi-review-first-bundle
功能描述
Teach an agent to install Movi's local MCP server, stay review-first, and use the safest manifest and batch-analysis tools before deeper mutation.
安全使用建议
This skill is internally coherent for installing and using a local Movi MCP review-first workflow, but it instructs you to clone and run code from the repository xiaojiou176-open/movi-organizer. Before you run any bootstrap or npm scripts: (1) inspect the repository contents and the specific scripts referenced (tooling/runtime/bootstrap_env.sh, tooling/gates/verify_repo_final.sh, run_mcp_stdio.sh, package.json scripts) to ensure they do not perform unwanted actions; (2) replace any placeholder absolute paths in the provided config snippets so they do not point to sensitive locations; (3) run the install steps in a sandboxed or least-privileged environment if possible (container/VM); (4) ensure your host has bash and Node/npm installed — add these as explicit prerequisites if you plan to rely on the skill; and (5) if you need higher assurance, request the repository owner provide a reproducible build artifact or a vetted release rather than running master branch scripts directly. Overall: coherent and plausible for its stated purpose but exercise normal caution when cloning and executing third-party repository scripts.
功能分析
Type: OpenClaw Skill
Name: movi-review-first-bundle
Version: 1.0.0
The bundle instructs the agent to clone an external repository (github.com/xiaojiou176-open/movi-organizer.git) and execute unverified local scripts, specifically `tooling/runtime/bootstrap_env.sh` and `run_mcp_stdio.sh`, to set up an MCP server. While the documentation in `SKILL.md` and `references/INSTALL.md` emphasizes a 'review-first' safety workflow, the requirement to run arbitrary shell scripts and install dependencies from an external source represents a significant security risk. The lack of visibility into the external scripts' contents makes this bundle suspicious despite its stated benign purpose.
能力评估
Purpose & Capability
The name/description promise (install and run a local Movi MCP server and follow a review-first workflow) matches the included content: SKILL.md, INSTALL.md, demo, configs, and a canonical_repo pointing to a GitHub repo that contains the tooling. The manifests and reference files consistently describe local-first usage and explicitly avoid claiming hosted listings.
Instruction Scope
The runtime instructions direct the operator to clone the referenced GitHub repo and run repo-provided scripts (bash tooling/runtime/bootstrap_env.sh, npm run mcp:tools, etc.). These steps are coherent with installing a local toolchain but do allow arbitrary code execution from the cloned repository; the SKILL.md itself does not attempt to read unrelated system files or exfiltrate data. It also instructs replacing placeholder absolute paths before attaching the MCP server, which is a reasonable safety step but requires operator attention.
Install Mechanism
This is an instruction-only skill (no install spec). The packet instructs the host to git-clone a public repo (canonical_repo: xiaojiou176-open/movi-organizer) and run npm/bash scripts. Downloading and running remote repository code is expected for this purpose but carries the usual risk of executing external code; the package does not itself embed binary downloads from unknown hosts or use obscure URLs.
Credentials
The skill declares no required environment variables or credentials, which aligns with its local-first claim. However, the instructions implicitly require runtime tools (bash and Node/npm) and filesystem access to check out and run the repo; these binaries are not enumerated in the metadata. No unrelated cloud credentials or secrets are requested.
Persistence & Privilege
The skill is not always:true and does not request persistent privileges. It is user-invocable and can be invoked autonomously by the agent (platform default), but nothing in the packet requests elevated system configuration changes or modifies other skills' settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install movi-review-first-bundle - 安装完成后,直接呼叫该 Skill 的名称或使用
/movi-review-first-bundle触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Movi Review-First Bundle initial release:
- Guides users to install and configure the local Movi MCP server for a review-first workflow.
- Focuses on inspecting jobs and manifests before making any changes, emphasizing safe-first operations.
- Outlines integration steps with OpenHands, OpenClaw, and similar agents.
- Provides reference files for installation, configuration, capabilities, and demos.
- Enforces clear workflow boundaries: local-only, no live claims, and strict adherence to review and dry-run stages before mutations.
元数据
常见问题
Movi Review-First Bundle 是什么?
Teach an agent to install Movi's local MCP server, stay review-first, and use the safest manifest and batch-analysis tools before deeper mutation. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 74 次。
如何安装 Movi Review-First Bundle?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install movi-review-first-bundle」即可一键安装,无需额外配置。
Movi Review-First Bundle 是免费的吗?
是的,Movi Review-First Bundle 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Movi Review-First Bundle 支持哪些平台?
Movi Review-First Bundle 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Movi Review-First Bundle?
由 Yifeng[Terry] Yu(@xiaojiou176)开发并维护,当前版本 v1.0.0。
推荐 Skills