← 返回 Skills 市场
open-skills
作者
Jonny Looma
· GitHub ↗
· v2.0.1
· MIT-0
74
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install open-skills
功能描述
一个交互式 CLI 工具,帮助开发者按分类浏览、空格多选、一键批量安装/同步 AI Agent skills 到多个编辑器。
安全使用建议
Before installing: 1) Verify the package source (npm user/org, repository URL, and commit history); avoid running npx against an unknown publisher. 2) Inspect package.json and any postinstall scripts — npx/npm may run lifecycle scripts. 3) Review the code that writes to editor/config paths (search for target paths in src/core/presets/editors.ts and install/sync code) and back up those editor settings. 4) Expect this tool to perform network downloads and write files into editor skill directories; confirm whether it will execute any downloaded code or spawn runtime processes (Node/Python). 5) If you need least privilege, run the tool in a container or VM first to observe behavior. 6) If you intend to use bundled skills (like deep-research), review those bundles separately — they declare autonomous triggers and perform web searches and file writes (e.g., ~/.claude/research_output/).
功能分析
Type: OpenClaw Skill
Name: open-skills
Version: 2.0.1
The bundle is a legitimate CLI tool and skill set designed to manage AI agent skills and perform 'Deep Research' tasks. The Node.js/TypeScript code implements a skill installer that uses `simple-git` to clone repositories and an internal registry to manage metadata. The Python scripts in the `deep-research` bundle provide a sophisticated research pipeline, including citation verification (via `doi.org`), source credibility scoring, and automated report validation. While the tool possesses significant capabilities—such as network access for Git/Web searches and file system access for report generation—all behaviors are clearly aligned with the stated purpose and are well-documented within the SKILL.md and README.md files. No evidence of malicious intent, data exfiltration, or unauthorized persistence was found.
能力标签
能力评估
Purpose & Capability
The repository and SKILL.md match the described purpose: a Node CLI with commands for listing, searching, installing, and syncing skills (src/commands/*.ts, registry resolvers, install/sync code). Bundled skill packages (e.g., deep-research) are reasonably part of a skills manager. However the metadata claims 'required binaries: none' while the package is a Node CLI (package.json, src/cli.ts) and the deep-research bundle documents Python scripts (python3) — so runtime requirements are understated.
Instruction Scope
SKILL.md describes selecting editors and auto-download/convert/install — which implies filesystem writes into editor skill/config locations. The registry metadata lists no required config paths, and the skill README doesn't enumerate exactly which editor paths will be modified. The included deep-research bundle further contains autonomous scripts that perform web searches, spawn agents, and write to ~/.claude/research_output/ — these behaviors are reasonable for that bundled skill but increase the overall attack surface. The instructions do not warn users about file writes, network downloads, or running any language runtimes (Node/Python).
Install Mechanism
There is no formal install spec in the metadata (instruction-only claim) yet README/SKILL.md recommend an npx command ('npx skills add lumacoder/open-skills -g -y'). The project includes package.json and many source files (TypeScript + Python) indicating it is intended to be installed as an npm package, but 'Source: unknown' and 'Homepage: none' create provenance ambiguity. No explicit external download URLs are listed in install metadata; still, npx/npm will fetch code from a registry — verify the published package/author before running. Bundled Python scripts would execute only if invoked, but the presence of scripts increases risk if the installer executes postinstall hooks (no install spec provided to say it doesn't).
Credentials
The skill declares no required environment variables or credentials, which is plausible for a manager that fetches public skills. However the code contains GitHub resolvers, remote resolvers, adapters, and a 'registry' subsystem that will perform network fetches — private repo installs or some adapters could require tokens (not declared). The deep-research bundle documents use of WebSearch and optional Exa MCP tools and includes Python scripts — so additional runtimes/credentials may be necessary for some functionality even though none are declared.
Persistence & Privilege
The skill is not marked always:true and is user-invocable. That is appropriate. However the package contains bundled skills (e.g., deep-research) that are explicitly designed for autonomous operation when triggered (trigger keywords described in deep-research docs). If you install those bundled skills into an agent environment, they may run autonomously when their triggers occur. This is expected behavior for skills but worth noting: autonomous invocation combined with network fetch + file writes increases blast radius.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install open-skills - 安装完成后,直接呼叫该 Skill 的名称或使用
/open-skills触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.0.1
ahai
元数据
常见问题
open-skills 是什么?
一个交互式 CLI 工具,帮助开发者按分类浏览、空格多选、一键批量安装/同步 AI Agent skills 到多个编辑器。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 74 次。
如何安装 open-skills?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install open-skills」即可一键安装,无需额外配置。
open-skills 是免费的吗?
是的,open-skills 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
open-skills 支持哪些平台?
open-skills 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 open-skills?
由 Jonny Looma(@lumacoder)开发并维护,当前版本 v2.0.1。
推荐 Skills