← 返回 Skills 市场
375
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install openclaw-model-card
功能描述
Generate OpenClaw model inventory and model-card images from openclaw.json. Use when asked to list all configured models, verify default/fallback chains, or...
安全使用建议
This skill appears to implement exactly what it claims: reading an openclaw.json, performing consistency checks, listing models, and optionally rendering a visual card. Before installing/use: 1) Run it with an explicit --config path to avoid unintentionally reading system/user config files (the script will fallback to OPENCLAW_CONFIG or default paths if --config is omitted). 2) Ensure your environment has python3 and node installed, and install wkhtmltoimage if you want image rendering (md2img.js checks for it). 3) Because the registry metadata lists no required binaries or env vars but the code uses OPENCLAW_CONFIG and external binaries, prefer using explicit paths and avoid exposing sensitive files. 4) If you need higher assurance, review the two included scripts locally (they are short and readable) and run them in a sandboxed environment first. Overall this is internally coherent and not requesting secrets or network access.
功能分析
Type: OpenClaw Skill
Name: openclaw-model-card
Version: 0.1.0
The skill bundle is classified as suspicious due to several vulnerabilities in `scripts/show-model-config.py` and `scripts/md2img.js`. The `show-model-config.py` script allows an arbitrary file read via the `--config` argument, enabling an attacker to specify any JSON file on the system for parsing. Additionally, both `show-model-config.py` and `md2img.js` allow an arbitrary file write via the `--image` argument, potentially overwriting existing files or writing to sensitive locations. While there is no evidence of intentional malicious behavior like data exfiltration or persistence, these vulnerabilities could be exploited by an attacker controlling script arguments (e.g., through prompt injection against the agent).
能力评估
Purpose & Capability
The name/description (generate model inventory and model-card images from openclaw.json) aligns with the included Python script and Node helper: the Python script reads openclaw.json, performs consistency checks and outputs Markdown/CLI text, and the Node script renders Markdown to an image. Nothing in the code attempts unrelated actions (no network calls, no credential usage).
Instruction Scope
SKILL.md instructs the agent to run the Python script with --config, which is correct and recommended. The Python script also falls back to an OPENCLAW_CONFIG environment variable and a set of default file paths (including /opt/openclaw-data/conf/openclaw.json and ~/.openclaw/openclaw.json) if --config is not provided. This fallback behavior is reasonable for convenience but is not documented in SKILL.md; it means the tool can read system or user config files if run without an explicit path.
Install Mechanism
There is no install spec (lowest risk) and all code is included. However the skill requires runtimes/binaries that are not declared in the top-level metadata: the Python script requires python3 (present on most systems), the Node-based md2img.js requires node, and md2img.js depends on the external binary wkhtmltoimage. SKILL.md does note the wkhtmltoimage dependency but the registry metadata listed 'required binaries: none', which is inconsistent. There are no downloads or remote install URLs in the skill.
Credentials
The skill does not request credentials and doesn't exfiltrate data. It does read an environment variable OPENCLAW_CONFIG (used as an alternative config path) even though the skill's declared required env vars list is empty; that discrepancy is minor but worth noting. Otherwise no access to secrets or unrelated system credentials is present.
Persistence & Privilege
The skill does not request persistent privileges, does not set always:true, and does not modify other skills or system-wide agent settings. It only reads files and writes output files when asked to render an image.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install openclaw-model-card - 安装完成后,直接呼叫该 Skill 的名称或使用
/openclaw-model-card触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial release: generate model inventory and model-card image from openclaw.json
元数据
常见问题
OpenClaw Model Card 是什么?
Generate OpenClaw model inventory and model-card images from openclaw.json. Use when asked to list all configured models, verify default/fallback chains, or... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 375 次。
如何安装 OpenClaw Model Card?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-model-card」即可一键安装,无需额外配置。
OpenClaw Model Card 是免费的吗?
是的,OpenClaw Model Card 完全免费(开源免费),可自由下载、安装和使用。
OpenClaw Model Card 支持哪些平台?
OpenClaw Model Card 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 OpenClaw Model Card?
由 sdsdsdff(@sdsdsdff)开发并维护,当前版本 v0.1.0。
推荐 Skills