← 返回 Skills 市场
openclaw-plus
作者
Shindo957-Official
· GitHub ↗
· v1.0.0
812
总下载
2
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install openclaw-plus
功能描述
A modular super-skill combining developer and web capabilities. Use when the user needs Python execution, package management, git operations, URL fetching, o...
安全使用建议
This skill is internally consistent with its advertised purpose: it runs Python, installs packages (pip/apt), manipulates git repos, and makes network requests. Those are exactly the powerful operations you should expect. Before enabling or allowing autonomous use, consider: 1) Run it in a sandbox or throwaway environment if you plan to allow package installs or arbitrary code execution; 2) Be careful about committing files to git — review content for secrets before committing; 3) System package installs require sudo and can change the host; avoid on sensitive machines; 4) Don’t supply sensitive credentials unless necessary and only pass them directly to the call_api call (the skill does not automatically read env secrets); 5) If you plan to allow autonomous invocation, restrict scope or monitor runs because the skill can modify disk, install packages, and call external URLs. If you want a safer posture, enable the skill only for user-invoked sessions and review the implementation.py source before use.
功能分析
Type: OpenClaw Skill
Name: openclaw-plus
Version: 1.0.0
The skill provides powerful developer and web automation capabilities, including arbitrary Python code execution, package installation (with `sudo` for system packages), git operations, and network requests. While these capabilities are aligned with its stated purpose, the `scripts/implementation.py` file exhibits significant vulnerabilities. Specifically, the `install_package` function (especially with `system=True` using `sudo apt-get`) and `git_commit` directly pass unsanitized user-provided strings to `subprocess.run`, creating clear shell injection and arbitrary command execution risks. The `run_python` function also executes arbitrary Python code without explicit sandboxing within the skill itself. These are critical vulnerabilities that could lead to Remote Code Execution and Privilege Escalation if user input or agent instructions are not rigorously sanitized by the OpenClaw environment, classifying the skill as suspicious rather than benign. There is no evidence of intentional malicious behavior (e.g., pre-programmed data exfiltration or backdoors).
能力评估
Purpose & Capability
The name/description (developer + web capabilities) align with the included documentation and implementation. The skill implements run_python, install_package, git_status, git_commit, fetch_url, and call_api as advertised. There are no unrelated required env vars or unexpected capabilities declared.
Instruction Scope
SKILL.md and the implementation permit arbitrary Python execution, pip/apt package installation, writing files, running git commands, and making network requests. Those actions are consistent with the stated purpose, but they grant broad filesystem, process, and network access (creating files, modifying repos, installing system packages, contacting arbitrary URLs). The instructions do not attempt to read unrelated secrets or special system config paths, but they do allow creating/committing files and running arbitrary code supplied at runtime.
Install Mechanism
There is no install spec (instruction-only skill) and all code is bundled in the package. No external download/install-from-URL steps are present. The reference implementation runs local subprocesses (pip, apt, git) but does not fetch or execute remote installers as part of an install script.
Credentials
The skill does not request environment variables or credentials in manifest metadata. The implementation supports passing auth tokens/headers to API calls but does not automatically read or require env secrets. That said, the skill instructs use of sudo apt-get (system package installs) and pip with --break-system-packages, which are high-impact operations for the host system — this is proportionate to the advertised 'install system packages' capability but is powerful and potentially disruptive.
Persistence & Privilege
always is false and the skill does not request persistent system-wide configuration changes. It can run autonomously (disable-model-invocation is false) which is the platform default; combined with the skill's broad capabilities this increases operational risk if you allow autonomous runs, but autonomous invocation alone is expected for skills.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install openclaw-plus - 安装完成后,直接呼叫该 Skill 的名称或使用
/openclaw-plus触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of openclaw-plus: a unified super-skill for developer and web automation tasks.
- Run Python scripts with environment management and output/error capture.
- Install Python (pip/conda/system) packages with dependency handling.
- Check git repository status and view recent changes.
- Commit code changes with support for good commit message practices.
- Fetch web content from URLs with robust error handling and content parsing.
- Make API calls (REST, GraphQL) with authentication and response validation.
- Designed to enable powerful, modular workflows combining code, version control, and web/API interactions.
元数据
常见问题
openclaw-plus 是什么?
A modular super-skill combining developer and web capabilities. Use when the user needs Python execution, package management, git operations, URL fetching, o... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 812 次。
如何安装 openclaw-plus?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-plus」即可一键安装,无需额外配置。
openclaw-plus 是免费的吗?
是的,openclaw-plus 完全免费(开源免费),可自由下载、安装和使用。
openclaw-plus 支持哪些平台?
openclaw-plus 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 openclaw-plus?
由 Shindo957-Official(@shindo957-official)开发并维护,当前版本 v1.0.0。
推荐 Skills