← 返回 Skills 市场
123
总下载
0
收藏
0
当前安装
6
版本数
在 OpenClaw 中安装
/install orchard
功能描述
Agentic project and task management plugin for OpenClaw. Persistent SQLite-backed task board with a queue runner that auto-dispatches ready tasks as subagent...
安全使用建议
What to consider before installing Orchard:
- Clarify permissions: confirm whether the plugin requires operator.write or other elevated gateway permissions to spawn subagents, and only grant the minimal scope needed.
- Run in a sandbox first: install and exercise Orchard in a local/dev OpenClaw instance (use ORCHARD_DEBUG_LOG_ONLY=1 and ORCHARD_DISABLE_ALL_SPAWNS=1) before enabling spawns on a production gateway.
- Keep the standalone UI loopback-only: do not enable uiServer.allowUnsafeBind or change bindAddress from 127.0.0.1 unless you understand the network exposure; the UI proxy forwards browser Authorization headers to the gateway.
- Treat gateway tokens carefully: avoid embedding tokens in HTML; use localStorage token entry as recommended and rotate tokens if you suspect exposure.
- Audit any configured contextInjection.apiKey or third-party API keys: only provide such keys if you trust the provider and understand how injected context will be used/stored.
- Review config.settings (dbPath, limits, debug flags) before enabling in multi-user or shared environments; set tight limits on concurrent executors and disable architects/spawns if you want manual control.
- If you need more assurance, ask the author to explicitly document required OpenClaw permission scopes and provide a minimal-permissions deployment guide. If that clarification is not available, consider classifying the plugin as higher-risk and avoid granting elevated privileges.
能力评估
Purpose & Capability
The plugin implements exactly what its name/description state: a SQLite-backed task board, REST API, dashboard, and a queue runner that spawns subagent sessions. However the plugin documentation and manifest mention it will autonomously spawn subagents and requires operator-level write privileges for that behavior; the registry metadata presented to the evaluator shows no declared credential/permission requirement. This mismatch (behavior that requires elevated agent permissions vs. no declared credential) is unexpected and should be clarified.
Instruction Scope
SKILL.md and README instruct normal install and configuration and accurately describe agent tools, REST endpoints, and the queue runner behavior. The runtime instructions and code include an auth-forwarding standalone UI proxy that deliberately forwards the browser's Authorization header to the gateway (intended behavior), and the queue runner will dispatch ready tasks as subagents — both are within the stated purpose but significantly expand what the agent can do (autonomous dispatching and forwarding bearer tokens).
Install Mechanism
There is no external download/install step in the SKILL.md; source files and build scripts are present and dependencies are standard Node packages (better-sqlite3, TypeScript). No obscure URL downloads or archive extraction are used. The plugin appears packaged as an OpenClaw plugin and built locally via npm/tsc.
Credentials
The package declares no required runtime environment variables or credentials by default, but the README and config schema expose many optional debug env vars and a contextInjection.apiKey field (for embedding external KB providers). Crucially, the plugin's manifest and docs state it will spawn subagents and need operator.write scope, yet the registry metadata did not declare such a primary credential/permission. This is disproportionate: spawning subagents and performing operator-level actions requires elevated platform privileges and should be explicitly declared and gated.
Persistence & Privilege
always:false and standard autonomy settings are used (the agent may invoke the skill autonomously, which is platform-default). The plugin starts a standalone UI proxy by default bound to loopback; the code refuses non-loopback binds unless uiServer.allowUnsafeBind is explicitly set. The combination of autonomous subagent spawning + potential operator.write scope increases blast radius if misconfigured, but the skill does not request permanent 'always' inclusion and does not appear to modify other skills' configs.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install orchard - 安装完成后,直接呼叫该 Skill 的名称或使用
/orchard触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.2.5-rc.5
Release 0.2.5-rc.5
v0.2.4
Security: block SSRF in fetchUrl (private/loopback IPs, non-http schemes); proxy now whitelists headers instead of forwarding all; manifest description explicitly documents autonomous spawning and proxy behavior
v0.2.3
Models endpoint now reads provider list from api.config.models.providers (in-memory, already-parsed OpenClaw config) instead of reading openclaw.json from disk
v0.2.2
Remove undeclared filesystem reads: gateway token now requires explicit uiServer.gatewayToken config, allowModelOverride moved to declared plugin config, models endpoint no longer reads openclaw.json
v0.2.1
Fix: stall reaper was excluding timed-out runs (inverted timeout_at condition); add orphan sweep on startup and each queue tick to reset tasks stuck running with no active run
v0.2.0
Security fixes: payload size limiting, redirect depth cap, XSS prevention in dashboard, input validation whitelists, session cleanup via deleteSession (gateway provides synthetic admin scope)
元数据
常见问题
Orchard 是什么?
Agentic project and task management plugin for OpenClaw. Persistent SQLite-backed task board with a queue runner that auto-dispatches ready tasks as subagent... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 123 次。
如何安装 Orchard?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install orchard」即可一键安装,无需额外配置。
Orchard 是免费的吗?
是的,Orchard 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Orchard 支持哪些平台?
Orchard 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Orchard?
由 derp42(@derp42)开发并维护,当前版本 v0.2.5-rc.5。
推荐 Skills