← 返回 Skills 市场
Openclaw Whisperer
作者
PhenixStar
· GitHub ↗
· v1.2.0
1553
总下载
0
收藏
5
当前安装
1
版本数
在 OpenClaw 中安装
/install openclaw-whisperer
功能描述
Comprehensive diagnostic, error-fixing, and skill recommendation tool for OpenClaw
安全使用建议
This repository looks like a legitimate diagnostic/repair tool, but several red flags mean you should not run it blindly: 1) SECURITY.md claims 'no network calls', yet fix-recipes and references include docker pull, wget (GitHub release), npm installs and openclaw skill installs — ask the author to clarify and provide an explicit network policy. 2) The package does not declare any required environment variables, but many recipes reference sensitive tokens (OPENAI_API_KEY, GATEWAY_TOKEN, Slack/Discord tokens). Verify exactly when/where the tool will read or transmit secrets and avoid providing credentials until reviewed. 3) Several fix recipes run destructive system commands (kill -9, systemctl start, cp/mv, chmod) and shell pipelines (lsof | xargs kill) — inspect how the Python code executes recipe commands (does it use shell=True?) and test in a safe environment first. 4) The self-updater and runtime downloads increase risk; prefer running the code in an isolated/sandboxed environment or container, review/upstream hashes for downloaded artifacts, and disable automatic updates until you trust the source. If you plan to use auto-fix features, back up your openclaw.json and relevant data first and enable interactive confirmation for risky recipes. If possible, request the maintainer to: (a) document exact network endpoints used, (b) declare required env vars in the manifest, and (c) remove or explicitly mark any remote-download steps so you can vet them before execution.
功能分析
Type: OpenClaw Skill
Name: openclaw-whisperer
Version: 1.2.0
The skill bundle is classified as suspicious due to high-risk capabilities, specifically the execution of `npm install -g` commands without explicit user confirmation when the `--auto-fix` flag is used. While the stated purpose is to install core OpenClaw components (`pnpm`, `openclaw` CLI), this action (defined as `safe_auto: true` in `data/fix-recipes.json`) downloads and executes code from external registries, posing a significant supply chain risk. The `SECURITY.md` documentation's examples for `safe_auto: true` (info messages, config reads, version checks) do not align with the actual execution of software installations, indicating a potential misrepresentation of safety. Other powerful commands like `kill -9`, `chmod`, and `docker rm` are appropriately marked `safe_auto: false` (requiring confirmation), but the breadth of system-level operations still presents a high-risk profile for a diagnostic tool.
能力评估
Purpose & Capability
Name/description (diagnostic + auto-fix + recommendations) align with included Python scripts and data files. Requiring python3 and installing small Python deps is proportionate. However, the skill's docs and fix-recipes reference provider API keys, gateway tokens, channel tokens and installation of third-party binaries (docker pull, wget, npm install -g, openclaw skills install). The registry metadata declares no required env vars, which is inconsistent with the many references to sensitive environment variables and external integrations in the code and docs.
Instruction Scope
SKILL.md and the included references/fix-recipes instruct the agent to run commands that modify configs, kill processes, start system services (systemctl start docker), perform network operations (docker pull, wget from GitHub releases, npm install -g), and run interactive setup flows. Those actions are within a diagnostic tool's remit but expand the scope to system-level changes and network I/O. The SECURITY.md asserts 'No network calls to external services' but fix recipes clearly include network operations — a direct contradiction.
Install Mechanism
The declared install step is a simple pip install of common Python libs (click, rich, requests, beautifulsoup4) which is low risk. However, the package includes a self-updater and recipes that download binaries or images (wget, docker pull, npm installs). Those runtime downloads are not part of the declared install spec and raise risk because they pull code/assets from external sources at runtime.
Credentials
The skill declares no required env vars, yet the data and references list many sensitive variables (OPENAI_API_KEY, ANTHROPIC_API_KEY, GATEWAY_TOKEN, channel tokens, Slack/Discord tokens, etc.) and fix recipes read/modify openclaw.json, .env and may template or inject values. That mismatch is suspicious: the skill appears designed to operate with secrets and external integrations but does not declare or request those explicitly. The user must understand where secrets are read/written and whether the skill transmits them.
Persistence & Privilege
always:false (good). The skill includes a self-updater, fix logging/backups, and can run commands that change system state (install packages, start/stop services). Autonomous invocation is allowed (disable-model-invocation:false) which is normal, but combined with the ability to perform network downloads and system commands it increases blast radius. The skill does not request to be always-enabled or to modify other skills' configs directly in the manifest, but it does include instructions (openclaw skills install ...) that could change the agent's skill set at runtime.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install openclaw-whisperer - 安装完成后,直接呼叫该 Skill 的名称或使用
/openclaw-whisperer触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.2.0
Security hardening: safe_auto fixes, shlex.split, SECURITY.md
元数据
常见问题
Openclaw Whisperer 是什么?
Comprehensive diagnostic, error-fixing, and skill recommendation tool for OpenClaw. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1553 次。
如何安装 Openclaw Whisperer?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-whisperer」即可一键安装,无需额外配置。
Openclaw Whisperer 是免费的吗?
是的,Openclaw Whisperer 完全免费(开源免费),可自由下载、安装和使用。
Openclaw Whisperer 支持哪些平台?
Openclaw Whisperer 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Openclaw Whisperer?
由 PhenixStar(@phenixstar)开发并维护,当前版本 v1.2.0。
推荐 Skills