← 返回 Skills 市场
Forge
作者
Indigo Karasu
· GitHub ↗
· v2.3.0
· MIT-0
105
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install ocas-forge
功能描述
Create, build, review, repair, and validate complete Agent Skill packages through a six-phase pipeline, outputting finished installable skill files.
安全使用建议
Forge is coherent for its purpose: it will build and write complete, installable skill packages and keep logs/journals under ~/openclaw. Before installing or enabling it, consider: (1) Require manual review/approval of any package Forge produces before installation — do not auto-install outputs. (2) Restrict or monitor its filesystem and network capabilities if your environment allows policy controls (prevent writing to unexpected locations or pulling arbitrary GitHub code). (3) Vet the upstream GitHub source the skill references if you allow its self-update feature. (4) Monitor journals/decisions files it writes and intake processing to ensure it only processes expected Mentor proposals. These controls will reduce risk from legitimately powerful but high-impact behavior. If you want lower risk, run Forge in an isolated/test environment and inspect build outputs before trusting them in production.
功能分析
Type: OpenClaw Skill
Name: ocas-forge
Version: 2.3.0
The 'ocas-forge' skill implements a self-update mechanism in SKILL.md (forge.update) that uses the GitHub API to download a tarball and overwrite its own source directory using shell commands (tar, cp, rm). While this is functionally consistent with a development tool, it creates a high-risk remote code execution (RCE) vector and supply-chain vulnerability. Furthermore, the forge.init process establishes persistence by automatically registering a daily cron job to execute this update, which could be leveraged to maintain control over the agent if the remote repository is compromised.
能力评估
Purpose & Capability
Name, description, SKILL.md, README, and skill.json consistently describe a skill-authoring/builder that reads intake files and writes build artifacts and journals. Declared filesystem read/write permissions (~/openclaw/data/ocas-forge and journals) align with the described behavior. No unrelated env vars, binaries, or external credentials are requested.
Instruction Scope
SKILL.md explicitly instructs processing intake files, running a six-phase build pipeline, writing finished installable packages, and persisting journals and logs under ~/openclaw. It does not instruct reading unrelated system files or exfiltrating secrets. Important caveat: Forge's default behavior is to output complete installable package file contents — this is a high-impact side effect (it will create code/assets that could later be executed if installed). The SKILL.md also mentions self-updates from GitHub and scheduled jobs, which implies network operations even though no network credentials are declared.
Install Mechanism
This is an instruction-only skill with no install spec and no bundled code to run. No downloads, archives, or external package installs are declared, which minimizes install-time risk.
Credentials
The skill requests no environment variables or credentials and only the narrow filesystem access to its own data and journals directories. That access is proportionate to a component that persists intake files, build logs, and journals.
Persistence & Privilege
always:false (not force-included) and autonomous invocation is allowed (default). Autonomous operation combined with the capability to generate full installable packages and schedule self-updates increases the operational impact if misused. Forge claims heartbeat/cron registration for intake and self-update — these behaviors should be reviewed in deployment policy, but they are not inherently inconsistent with the stated purpose.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install ocas-forge - 安装完成后,直接呼叫该 Skill 的名称或使用
/ocas-forge触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.3.0
ocas-forge 2.3.0
- Updated and clarified SKILL.md for clearer usage boundaries, responsibilities, and workflow.
- Added detailed descriptions of all commands, package structure, and mandatory pipeline phases.
- Explicit instructions for intake processing with Mentor and background job registration.
- Expanded initialization and storage layout documentation.
- Included OKRs, validation requirements, and guidance for skill type classification.
- Improved examples and clarified anti-patterns to avoid in skill authoring.
- Added self-update and background job mechanisms for maintaining latest source.
元数据
常见问题
Forge 是什么?
Create, build, review, repair, and validate complete Agent Skill packages through a six-phase pipeline, outputting finished installable skill files. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 105 次。
如何安装 Forge?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install ocas-forge」即可一键安装,无需额外配置。
Forge 是免费的吗?
是的,Forge 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Forge 支持哪些平台?
Forge 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Forge?
由 Indigo Karasu(@indigokarasu)开发并维护,当前版本 v2.3.0。
推荐 Skills