← 返回 Skills 市场
468
总下载
0
收藏
2
当前安装
2
版本数
在 OpenClaw 中安装
/install nodejs-project-arch
功能描述
Node.js project architecture standards for AI-assisted development. Enforces file splitting (<400 lines), config externalization, route modularization, and a...
安全使用建议
This is a coherent, instruction-only architecture guide — it won't itself install code or ask for credentials. However, follow-up considerations before adopting its patterns:
- Review any produced admin endpoint code carefully. Ensure requireAdmin is implemented with robust authentication (not a plain header in production), use TLS, enforce rate limits, CSRF protection, and logging.
- Avoid storing sensitive secrets (admin passwords, API secrets) in a web-served config.json; prefer environment variables or a secrets manager for production. If you must use config files, ensure /api/config never returns secret fields and that backup files are protected.
- Validate and sanitize incoming admin POST data before writing config.json, and consider access controls (IP allowlist, OAuth, or token-based auth) rather than a simple header password.
- Treat hot-reload in production cautiously: it simplifies operations but can enable misconfiguration or privilege escalation if exposed publicly.
- Because the skill is instruction-only, the security risk comes from code you or an agent generate from these instructions — audit generated server/admin code before deploying publicly.
功能分析
Type: OpenClaw Skill
Name: nodejs-project-arch
Version: 1.1.0
The skill bundle provides architectural standards for Node.js projects aimed at optimizing AI context usage, but it explicitly instructs the AI to implement a high-risk administrative 'hot-reload' feature. This feature includes code patterns in SKILL.md and docs/Config-Pattern.md that perform direct, unsanitized filesystem writes (fs.writeFileSync) to a configuration file using user-supplied data (req.body). While the intent appears to be developer convenience, this pattern introduces a significant security vulnerability (Arbitrary File Write/Configuration Injection) and promotes a weak authentication mechanism (x-admin-password header) for sensitive administrative actions.
能力评估
Purpose & Capability
Name/description (AI-friendly Node.js project architecture, file-splitting, config externalization, admin dashboard) match the SKILL.md and reference files. The skill requests no unrelated binaries, env vars, or installs — everything in the docs is coherent with structuring projects and adding an admin UI.
Instruction Scope
Runtime instructions focus on splitting files, externalizing config, and adding admin endpoints (/api/config, /admin/config). These are within scope, but the docs explicitly instruct reading and overwriting ./config.json, backing it up, and exposing a config API. That pattern can accidentally expose secrets (if strip logic is incomplete) or enable unauthenticated config changes if 'requireAdmin' is not implemented securely. The guidance gives the agent broad discretion to create network-accessible admin endpoints and perform file writes — expected for this purpose but security-sensitive.
Install Mechanism
No install spec and no code files executed by the platform — instruction-only. This minimizes immediate filesystem or network risk from the skill package itself.
Credentials
The skill declares no required environment variables or credentials (consistent). However, it recommends storing admin credentials and third-party API keys in config.json (examples show admin.password and thirdParty keys). Storing secrets in a writable JSON served by the app increases the risk of accidental exposure; using environment variables or dedicated secret storage is safer for production.
Persistence & Privilege
Skill metadata does not request always:true or elevated privileges and is user-invocable only. The README claim that the skill "auto-activates" on certain prompts is a behavioral description, not a metadata privilege — metadata indicates normal, non-forced inclusion.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install nodejs-project-arch - 安装完成后,直接呼叫该 Skill 的名称或使用
/nodejs-project-arch触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
Added AI Dev Quality Suite cross-references
v1.0.0
Initial release: AI-friendly Node.js architecture standards with game/tool/SDK references
元数据
常见问题
Node.js Project Architecture 是什么?
Node.js project architecture standards for AI-assisted development. Enforces file splitting (<400 lines), config externalization, route modularization, and a... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 468 次。
如何安装 Node.js Project Architecture?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install nodejs-project-arch」即可一键安装,无需额外配置。
Node.js Project Architecture 是免费的吗?
是的,Node.js Project Architecture 完全免费(开源免费),可自由下载、安装和使用。
Node.js Project Architecture 支持哪些平台?
Node.js Project Architecture 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Node.js Project Architecture?
由 abczsl520(@abczsl520)开发并维护,当前版本 v1.1.0。
推荐 Skills