← 返回 Skills 市场
227
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install openclaw-a2ui
功能描述
为 OpenClaw webchat 回复增加个性化富 UI 展示,基于 HTML 直出渲染。 【默认启用】凡是结构化内容(列表、数据、步骤、表格、摘要、状态、代码等)一律用 HTML 卡片回复。 纯文字聊天(简单问答、闲聊)不强制套卡片。 当用户要求安装/迁移 openclaw-a2ui、启用 HTML 渲染、...
安全使用建议
What to consider before installing:
- This skill intentionally modifies server-side files: it copies a plugin into your OpenClaw extensions folder, edits openclaw.json, and injects a script into control-ui/index.html. Those changes will run code in every user's browser and should be reviewed and backed up before installation.
- The injected client script reads certain localStorage keys and location.hash to build an Authorization header for an internal manifest fetch; it does not send those tokens to external servers in the provided code, but any script injected into index.html can be a powerful vector—ensure you trust the author and review the injected JS line-by-line.
- The manifest HTTP handler sets CORS to '*'. That makes UI config manifests retrievable cross-origin; assess whether your ui-config.json files contain any sensitive information (e.g., external URLs or CSS that could leak internal data).
- Recommended actions: (1) review assets/skill-ui-bridge-plugin.js and assets/skill-ui-bridge.js fully, (2) run the install in a staging instance first, (3) back up control-ui/index.html (the install script creates an .orig but confirm), (4) consider restricting CORS or adding auth checks in the manifest handler if you operate in a sensitive environment, and (5) if you are not comfortable with server-side file changes or broad client-side JS injection, do not install.
功能分析
Type: OpenClaw Skill
Name: openclaw-a2ui
Version: 1.0.2
The skill bundle implements a rich UI framework that performs high-risk system modifications, including programmatically patching the OpenClaw web interface's 'index.html' and modifying the 'openclaw.json' configuration file (found in assets/skill-ui-bridge-plugin.js and scripts/install.ts). Additionally, the client-side component (assets/skill-ui-bridge.js) contains logic to programmatically extract authentication tokens from the browser's localStorage. While these actions are aligned with the stated purpose of providing a 'UI bridge' for HTML rendering, the capability to modify core application files and access sensitive credentials represents a significant security risk that could be exploited for XSS or session hijacking.
能力评估
Purpose & Capability
Name/description (HTML-rich card rendering for OpenClaw webchat) align with the provided code and configs: ui-config.json expands DOMPurify/markdown rules, skill-ui-bridge.js patches client behavior to detect and render <div class="a2ui"> cards, and the plugin scripts inject the bootstrap into control-ui. Files and behaviors are coherent with the stated feature.
Instruction Scope
SKILL.md instructs the agent to emit HTML cards and documents the installation steps; it does not ask the agent to read unrelated system files or secrets at runtime. The runtime JS runs in the browser to transform chat DOM elements—this is consistent with the skill's UI purpose.
Install Mechanism
Installation is local (no remote downloads) but the plugin injects a static JS into control-ui/index.html and writes a skill-ui-init.js into the control-ui static directory. Modifying index.html and adding same-origin script is a high-impact operation (runs arbitrary JS in every client's browser). The install script copies plugin files into extensions and edits openclaw.json — this is necessary for the plugin approach but is a privileged change that should be reviewed and backed up.
Credentials
The skill declares no environment variables, which is appropriate. However, the client bootstrap (skill-ui-bridge.js) reads location.hash and localStorage keys (openclaw.device.auth.v1 and openclaw.control.settings.v1) to build an Authorization header when fetching /plugins/skill-ui/manifest. The server-side manifest handler is registered with Access-Control-Allow-Origin: "*" (CORS wildcard). While the code does not transmit tokens to third-party servers, reading browser-stored tokens and exposing a manifest endpoint with permissive CORS raise privacy/attack-surface concerns you should consider.
Persistence & Privilege
The plugin requires persistent, system-level changes: copying files into the OpenClaw extensions directory, registering the plugin in openclaw.json, and injecting a script into control-ui/index.html that will execute in all client browsers. always:false mitigates forced global enablement, but the installation grants broad privilege (arbitrary JS execution in UI) — review and backup steps are recommended.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install openclaw-a2ui - 安装完成后,直接呼叫该 Skill 的名称或使用
/openclaw-a2ui触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
openclaw-a2ui v1.0.2
- 明确文档版本为 1.0.2,并同步 Changelog 中版本号说明
- 强化“单卡片模式”强制规则,所有结构化内容仅允许卡片显示,无文本+卡片组合
- 调整触发规则说明,强调每次回复只允许一个卡片或纯文字,无前后解释性文本
- 保持原有骨架屏优化说明、卡片模板与设计规范不变
v1.0.1
openclaw-a2ui v1.0.1
- 初始版本发布。
- 提供 OpenClaw webchat 富 UI 卡片结构化 HTML 渲染规范。
- 默认启用结构化内容(列表、数据、步骤、表格、摘要、状态、代码等)的 HTML 卡片式回复。
- 纯文字聊天内容不强制使用卡片回复。
- 明确输出规则与样式规范,确保兼容 skill-ui-bridge 插件。
- 提供常用卡片模板与最佳实践说明。
v1.0.0
openclaw-a2ui v1.0.0
- 初始发布:为 OpenClaw webchat 回复增加基于 HTML 卡片的富 UI 展示
- 自动判断结构化内容(如列表、表格、步骤等),强制使用 HTML 卡片封装输出
- 纯文字问答默认不强制套用卡片,遵循用户要求输出模式
- 卡片设计规范和模板提供,包含 TextCard、ListCard、DataCard、StatsCard、AlertCard、StepsCard 等
- 安装及常见问题说明,指引 skill-ui-bridge 插件的安装与 DOMPurify 配置处理
- 明确输出要求:HTML 必须带 class="a2ui",且与文本分段,便于前端自动渲染
元数据
常见问题
OpenClaw A2UI 是什么?
为 OpenClaw webchat 回复增加个性化富 UI 展示,基于 HTML 直出渲染。 【默认启用】凡是结构化内容(列表、数据、步骤、表格、摘要、状态、代码等)一律用 HTML 卡片回复。 纯文字聊天(简单问答、闲聊)不强制套卡片。 当用户要求安装/迁移 openclaw-a2ui、启用 HTML 渲染、... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 227 次。
如何安装 OpenClaw A2UI?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-a2ui」即可一键安装,无需额外配置。
OpenClaw A2UI 是免费的吗?
是的,OpenClaw A2UI 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
OpenClaw A2UI 支持哪些平台?
OpenClaw A2UI 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 OpenClaw A2UI?
由 Suuuy(@suuuy)开发并维护,当前版本 v1.0.2。
推荐 Skills