← 返回 Skills 市场
89
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install openclaw-super-skills
功能描述
Decomposes complex user requests into executable subtasks, identifies required capabilities, searches for existing skills at skills.sh, and creates new skill...
安全使用建议
This skill is conceptually reasonable (decomposing tasks and locating or creating skills), but it has several practical risks you should consider before installing or enabling it:
- The SKILL.md assumes the Skills CLI (npx skills) and Node/npx are available and instructs global installs (npx skills add -g -y). Those commands will download and run third‑party code—review and vet any package before installing it on your system.
- The manifest lists no required binaries or environment variables, but the workflow expects and may ask for sensitive credentials (email credentials, Slack webhooks/tokens, OAuth keys). Confirm how credentials will be provided, stored, and protected; prefer short‑lived tokens and avoid entering permanent secrets without validation.
- Because the skill can create and install other skills automatically, restrict its ability to perform global installs or to run without your explicit approval. Consider running it in a sandbox or with autonomous invocation disabled until you verify behavior.
- Verify the skill's source and provenance (no homepage provided and source is 'unknown'). If you plan to use it, require that any discovered skills come from trusted owners on skills.sh and review code before installation.
If you want to proceed: ensure node/npx are present, run the agent in a restricted environment, disable automatic installs, and audit any skills the agent proposes to add. If you prefer lower risk, decline installation until the author supplies a trustworthy source, explicit runtime requirements, and a clear credential-handling policy.
功能分析
Type: OpenClaw Skill
Name: openclaw-super-skills
Version: 1.0.0
The task-decomposer skill bundle provides instructions for the agent to automatically search for and install third-party skills using the 'npx skills add' command with the '-y' flag, which bypasses user confirmation. While this functionality is aligned with the stated goal of automating workflow setup, it creates a significant security risk by allowing the agent to execute global installations of unverified code from the skills.sh ecosystem based on its own search results. This pattern (found in SKILL.md and README.md) is highly susceptible to prompt injection and supply chain attacks, though no explicit evidence of intentional malice or hardcoded malicious payloads was found.
能力评估
Purpose & Capability
The skill's name and description match the SKILL.md: it is a task decomposer and skill generator that searches skills.sh and can create skills. However, the runtime instructions assume the presence of the Skills CLI via npx/node (e.g., 'npx skills find', 'npx skills add', 'npx skills init') but the manifest lists no required binaries. Not declaring node/npx is an incoherence between stated runtime needs and the declared requirements.
Instruction Scope
SKILL.md gives explicit commands to search for and install skills (npx skills find/add/init) and to create new skills automatically. It also shows examples that reference credentials (email credentials/session, Slack webhook/token, OAuth) and scheduling/execution steps. The skill instructions therefore permit installing and running arbitrary third‑party code and handling sensitive credentials, but the manifest provides no constraints on how credentials should be obtained, stored, or protected. The instructions are open‑ended about creating/publishing new skills and do not limit where installs come from.
Install Mechanism
The skill is instruction‑only (no install spec) which is low risk in itself. However, at runtime it directs the agent to use npx to install skills (including global installs with '-g -y'), which will download and run arbitrary packages. That runtime install behavior is expected for a 'skill generator' but increases risk because the skill can cause the agent to install external code during execution.
Credentials
Manifest declares no required environment variables or primary credential, yet the SKILL.md explicitly references API keys, webhooks, OAuth flows and 'email credentials/session' as inputs for decomposed tasks. There's a mismatch: sensitive credentials are implied/required at runtime but not declared or scoped in the skill metadata. The skill could prompt for or handle many unrelated secrets depending on generated workflows.
Persistence & Privilege
The skill does not request always:true, does not declare config path access, and does not modify other skills in the manifest. Model invocation is enabled (default), which is normal. No elevated or persistent privileges are requested in the manifest itself.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install openclaw-super-skills - 安装完成后,直接呼叫该 Skill 的名称或使用
/openclaw-super-skills触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of the task-decomposer skill.
- Decomposes complex user requests into manageable subtasks and identifies required capabilities for each task.
- Searches for existing skills in the open skills ecosystem via skills.sh and recommends installation or creation of new skills if needed.
- Provides phase-driven workflow: task analysis, capability mapping, skill search, gap analysis, skill generation, and execution planning.
- Includes detailed skill creation templates and practical usage instructions.
元数据
常见问题
Openclaw Super Skills 是什么?
Decomposes complex user requests into executable subtasks, identifies required capabilities, searches for existing skills at skills.sh, and creates new skill... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 89 次。
如何安装 Openclaw Super Skills?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-super-skills」即可一键安装,无需额外配置。
Openclaw Super Skills 是免费的吗?
是的,Openclaw Super Skills 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Openclaw Super Skills 支持哪些平台?
Openclaw Super Skills 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Openclaw Super Skills?
由 jpzhengcn(@jpzhengcn)开发并维护,当前版本 v1.0.0。
推荐 Skills