← 返回 Skills 市场
150
总下载
0
收藏
1
当前安装
2
版本数
在 OpenClaw 中安装
/install obs
功能描述
Comprehensive Open Build Service (OBS) management with full API support for projects, packages, repositories, builds, submit requests, files, users, and search.
安全使用建议
What to check before installing/running:
- Review the two bundled scripts (references/obs-lib.sh and scripts/obs-expert-setup.sh) yourself; all code is included.
- The skill needs your OBS API token (OBS_USERNAME/OBS_TOKEN) or an oscrc file; only supply a token you trust and keep it minimal-scope and rotatable.
- The setup script will write ~/.config/osc/oscrc and can append credentials to your shell rc (~/.bashrc or ~/.zshrc). Prefer using ~/.config/osc/oscrc with chmod 600 rather than storing tokens in shell rc.
- Do not run the setup script as root unless you deliberately want to create system-wide symlinks; creating a symlink in /usr/local/bin requires root and expands the attack surface.
- The API library uses eval to construct curl commands; if you plan to pass filenames or other inputs containing untrusted content, inspect or sanitize inputs to avoid command injection.
- Test in a safe environment (non-production user or container) first. If you proceed, rotate the token after initial testing and follow least-privilege practices.
- If anything looks unexpected (external endpoints other than api.opensuse.org, unusual network calls, or credential exfiltration), do not proceed and ask for clarification from the author.
功能分析
Type: OpenClaw Skill
Name: obs
Version: 1.0.1
The skill bundle provides a comprehensive interface for Open Build Service (OBS) management but contains a critical shell injection vulnerability in 'references/obs-lib.sh'. The 'obs_api_call' function uses 'eval' to execute 'curl' commands, which can be exploited for remote code execution (RCE) if an attacker or a malicious prompt influences the arguments (such as the 'data' or 'endpoint' parameters). While the tool's stated purpose is legitimate and the setup script 'scripts/obs-expert-setup.sh' follows standard (though sensitive) credential handling practices, the presence of such a high-risk coding flaw warrants a suspicious classification.
能力评估
Purpose & Capability
Name/description (OBS management) match the included scripts and library: the skill calls the OBS API, manages projects/packages/builds/files, and asks for OBS credentials (API token or oscrc). The only minor inconsistency is that the registry metadata lists no required env vars while SKILL.md and the scripts clearly expect OBS_APIURL/OBS_USERNAME/OBS_TOKEN or ~/.config/osc/oscrc.
Instruction Scope
Runtime instructions and included scripts read/write user config (~/.config/osc/oscrc), may append credentials to shell rc files (~/.bashrc or ~/.zshrc), create temp cookie files in /tmp, and suggest creating a symlink in /usr/local/bin. The API helper uses eval to build and run curl commands (obs_api_call), which can introduce command‑injection risk if inputs are not strictly sanitized. These behaviors are within the tool's purpose but increase risk and should be reviewed before use.
Install Mechanism
No network install/downloads or external installers are used; this is an instruction-and-script package bundled with the skill. That lowers supply-chain risk compared with arbitrary remote downloads. All code is present in the repository for inspection.
Credentials
The credentials requested (OBS username and API token or oscrc) are appropriate for an OBS client. However, the skill metadata did not declare these required env vars even though SKILL.md and scripts depend on them; that's an inconsistency to be aware of. The setup script stores the token in ~/.config/osc/oscrc and optionally appends it to the user shell rc — storing secrets in shell rc is not best practice.
Persistence & Privilege
The skill does not request global 'always' privilege. The included setup script writes to per-user config files and can append environment variables to shell rc; it also suggests creating a symlink in /usr/local/bin (which requires elevated privileges). These are reasonable for a CLI tool but require user consent and care (avoid running as root unless intended).
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install obs - 安装完成后,直接呼叫该 Skill 的名称或使用
/obs触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Updated display name to lowercase
v1.0.0
Renamed from obs-expert to obs - Full OBS API coverage with bilingual documentation
元数据
常见问题
obs 是什么?
Comprehensive Open Build Service (OBS) management with full API support for projects, packages, repositories, builds, submit requests, files, users, and search. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 150 次。
如何安装 obs?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install obs」即可一键安装,无需额外配置。
obs 是免费的吗?
是的,obs 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
obs 支持哪些平台?
obs 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 obs?
由 wei dong(@weidongkl)开发并维护,当前版本 v1.0.1。
推荐 Skills