← 返回 Skills 市场
MyVibe Skills
作者
zhuzhuyule
· GitHub ↗
· v1.0.0
1092
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install myvibe-skills
功能描述
Publish static HTML, ZIP archive, or directory to MyVibe. Use this skill when user wants to publish web content to MyVibe.
安全使用建议
This skill generally does what it claims, but it requires running network-enabled commands, installing npm packages (potentially globally), starting local servers, and writing files in your home and /tmp directories. Before installing or invoking it: 1) Review scripts/utils/auth.mjs to see how access tokens are obtained/stored and where tokens are written; 2) Audit package.json/package-lock.json (and the @aigne dependencies) for any packages you don't trust; 3) Avoid granting a broad/elevated sandbox permission unless you run the skill in an isolated environment (VM or disposable container); 4) Be cautious about allowing global installs (agent-browser) and npx runs — prefer installing required dependencies in an isolated environment under your control; 5) If you need only metadata or simple uploads, consider using a narrower tool that doesn't request global installs or elevated sandbox privileges. If you want, I can inspect auth.mjs (not shown fully) and the remaining truncated files for token storage or other sensitive behavior to refine this assessment.
功能分析
Type: OpenClaw Skill
Name: myvibe-skills
Version: 1.0.0
The skill is classified as suspicious due to several high-risk capabilities, even though the explicit intent appears benign. Key indicators include the requirement for `sandbox_permissions=require_escalated` for network access, the instruction to the AI agent to perform a global `npm install -g agent-browser && agent-browser install` in `SKILL.md` and `generate-screenshot.mjs`, and the dynamic execution of `npx http-server` in `generate-screenshot.mjs`. These actions involve downloading and executing external code and modifying the system environment, which introduces significant supply chain and arbitrary code execution vulnerabilities if the external packages or the agent's execution context were compromised. Additionally, the skill makes network requests to a user-configurable `--hub` URL, which could be abused if the agent is tricked into publishing to a malicious endpoint. While these capabilities are plausible for a publishing and screenshotting skill, they represent substantial attack surfaces without clear evidence of intentional malice.
能力评估
Purpose & Capability
The name/description (publish static HTML/ZIP/dir to MyVibe) matches the included scripts: uploading via TUS, conversion polling, screenshot generation and publishing metadata. Reading git remote, zipping directories, creating screenshots, and uploading are all coherent with the stated purpose.
Instruction Scope
SKILL.md instructs the agent to run network-enabled Bash commands, potentially globally install agent-browser (npm install -g agent-browser), run `npx http-server`, run `agent-browser` (which manages Chromium), run `npm install` for script dependencies, and run git commands. Those steps require filesystem access, process spawning, network access, and installing third‑party software — broader scope than a purely read-only metadata extractor. The instruction to run Bash commands with `sandbox_permissions=require_escalated` is unusual and raises privilege concerns.
Install Mechanism
There is no formal install spec, but package.json and package-lock.json are included and the SKILL.md explicitly tells operators to run `npm install` (or `npm install -g agent-browser`) and uses `npx` to run http-server. This means dependencies will be fetched from the npm registry at runtime (moderate risk). No downloads from suspicious URLs were found, but dynamic installs and npx execution increase attack surface.
Credentials
The skill does not request unrelated environment variables or cloud credentials. It performs reasonable local operations for publishing (reads files, reads git remote, writes publish history to ~/.myvibe, creates /tmp artifacts) and uses an OAuth/authorization flow (getAccessToken) rather than asking for secrets in env vars. Those behaviors are proportional to the publishing task but involve storing state in the user's home directory and using bearer tokens at runtime.
Persistence & Privilege
The skill is not 'always' installed. It does persist publish history to ~/.myvibe/published.yaml and writes /tmp screenshot result files. The runtime instructions may install global binaries (agent-browser) and run npx which can add software to the environment. The SKILL.md request to run commands with elevated sandbox/network permissions is notable and increases the blast radius if granted.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install myvibe-skills - 安装完成后,直接呼叫该 Skill 的名称或使用
/myvibe-skills触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
myvibe-skills v1.0.0
- Initial release of the MyVibe Publish skill.
- Allows publishing static HTML, ZIP archives, or directories to MyVibe.
- Supports publishing from file, directory, or URL with optional metadata extraction, git integration, and screenshot generation.
- Provides automated project type detection (static, buildable, monorepo) and smart workflow (build, analyze, confirm, publish).
- Includes advanced options for visibility, updating specific Vibes, and import from external URLs.
- Guides users through error handling and upgrade prompts for version history features.
元数据
常见问题
MyVibe Skills 是什么?
Publish static HTML, ZIP archive, or directory to MyVibe. Use this skill when user wants to publish web content to MyVibe. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1092 次。
如何安装 MyVibe Skills?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install myvibe-skills」即可一键安装,无需额外配置。
MyVibe Skills 是免费的吗?
是的,MyVibe Skills 完全免费(开源免费),可自由下载、安装和使用。
MyVibe Skills 支持哪些平台?
MyVibe Skills 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 MyVibe Skills?
由 zhuzhuyule(@zhuzhuyule)开发并维护,当前版本 v1.0.0。
推荐 Skills