← 返回 Skills 市场
354
总下载
0
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install papermc-ai-ops
功能描述
Manage PaperMC Minecraft servers through safe, controlled interfaces. Use for server lifecycle management, backups, plugin operations, and health monitoring...
安全使用建议
Key things to consider before installing or running this skill:
- Do not run the publish scripts (publish_skill.py or publish_to_clawhub.py) unless you explicitly want to upload the repository to ClawHub. They contain a hard-coded API token and will gather and POST many local text files — this could leak sensitive local content. Remove or rotate that token and review the scripts before any execution.
- The SKILL.md safety policy forbids direct systemctl use, but manage_server.py calls systemctl (with sudo). Running that script will require sudo privileges and can perform system-level service restarts. If you allow the agent to run this skill, ensure the agent runs under a least-privilege account and review/modify the service_action implementation (avoid sudo or require manual confirmation).
- plugin_manager.py and plugin_upgrade_framework.py will download jars from URLs and delete/replace plugin files. This is expected functionality but is powerful: verify URLs and run upgrades first in a test environment. Ensure backups work and point SERVER_DIR to a test server before executing.
- The code contains developer-specific default paths (e.g., /home/yan/projects/..., SERVER_DIR = '/path/to/your/papermc-server') — update all path constants before use to avoid accidental operations on unintended directories.
- There are undeclared dependencies used by scripts (requests, requests-toolbelt). Install and audit these packages from trusted package sources before running.
- If you want to proceed: (1) audit and remove or sanitize publish_* scripts (or at minimum remove the embedded API token), (2) set SERVER_DIR and SERVICE_NAME to safe test targets, (3) run in a staging environment first, (4) avoid running scripts as root or with sudo unless necessary and reviewed, (5) consider restricting the agent's ability to autonomously invoke high-risk operations (require human confirmation for restart/update steps).
Given the hard-coded token and the contradiction between declared safety rules and actual system commands, treat this skill as suspicious until you perform the code review and sanitization steps above.
功能分析
Type: OpenClaw Skill
Name: papermc-ai-ops
Version: 2.0.1
The skill bundle is classified as suspicious primarily due to the inclusion of a hardcoded, sensitive API token for clawhub.ai across multiple files (simple_publish.sh, publish_skill.py, and publish_to_clawhub.py), which constitutes a significant credential leak. While the bundle's stated purpose is legitimate PaperMC Minecraft server management, it contains scripts with high-risk capabilities, including downloading and replacing executable JAR files from remote URLs (plugin_manager.py, update_paper.py, and plugin_upgrade_framework.py) and executing system-level commands via sudo systemctl (manage_server.py). Although these features are consistent with server administration, the exposure of credentials and the broad system access rights required make the bundle a security risk.
能力评估
Purpose & Capability
Most code (manage_server.py, plugin_manager.py, update_paper.py, plugin_upgrade_framework.py, backup.sh, health_check.sh) is coherent with PaperMC server lifecycle/backup/plugin operations. However, the repository also contains publishing scripts (publish_skill.py, publish_to_clawhub.py) that are unrelated to runtime server management and embed an API token inside the source. These publish scripts can upload many local text files to a remote service, which does not fit the core runtime purpose of safely operating a PaperMC server and is disproportionate to the stated capabilities.
Instruction Scope
SKILL.md instructs operators to 'never use' direct system commands (including systemctl stop/restart) and to route operations through the approved Python scripts. Yet manage_server.py invokes systemctl (and uses sudo for service actions). That is a direct contradiction between the written safety policy and the implementation. The plugin upgrade framework performs network calls (Hangar API) and writes logs to ~/.openclaw; plugin_manager.py downloads arbitrary URLs and writes them into the plugins directory — behavior consistent with purpose but also granting broad discretion to fetch and install external artifacts. The publish scripts walk the repository and upload many files to ClawHub when run — they are not referenced as part of normal server management and could exfiltrate repository content if executed.
Install Mechanism
There is no install spec (instruction-only), so nothing is automatically written during install. However, the skill includes many executable code files that the user (or agent) can run. Some scripts (publish_skill.py) rely on external Python packages (requests-toolbelt) not declared in SKILL.md. No remote installers or downloadable archives are used, which lowers installation risk, but presence of runnable publish/upload scripts increases the effective attack surface if run.
Credentials
The registry metadata declares no required environment variables or credentials, but publish_skill.py and publish_to_clawhub.py contain a hard-coded API_TOKEN (clh_kZ-...). Embedding an API token in code is a secret-management anti-pattern and creates an exfiltration/abuse risk if those scripts run. Scripts also assume sudo/systemctl privileges (manage_server.py uses sudo systemctl) which require elevated OS privileges not declared or constrained by the skill metadata. plugin_upgrade_framework.py writes logs to the user's home directory and uses network calls to third-party APIs (hangar.papermc.io).
Persistence & Privilege
The skill is not marked always:true, and there is no evidence it attempts to persistently enable itself in other skills or system-wide configurations. It creates application-level directories and writes logs under ~/.openclaw, which is within expected scope for a management tool. Autonomous invocation is allowed by default (disable-model-invocation=false) — this is platform default and not flagged by itself.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install papermc-ai-ops - 安装完成后,直接呼叫该 Skill 的名称或使用
/papermc-ai-ops触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.0.1
Release v2.0.1: Enhanced with Plugin Upgrade Framework
v2.0.0
v2.0.0: Added plugin upgrade framework based on ViaVersion 5.7.2→5.8.0 real-world experience
v1.1.0
papermc-ai-ops 1.1.0 initial release
- Added multiple scripts for server cost tracking, upgrade scoring, daily and weekly checklists, and plugin compatibility research.
- Introduced a formal version management and upgrade decision process, including a weekly upgrade scoring system in documentation.
- Expanded documentation to detail upgrade/rollback criteria, scoring, and operational best practices.
- Maintained strict backup-first and “no direct commands” safety policies.
v1.0.0
Initial release of papermc-ai-ops:
- Provides safe, script-based management for PaperMC Minecraft servers.
- Supports server lifecycle management, plugin operations, and automated health checks.
- Enforces a backup-first policy before any changes.
- All actions are performed through controlled Python scripts (no direct destructive commands).
- Includes detailed documentation, workflow examples, and configuration guidance.
元数据
常见问题
PaperMC AI Operations 是什么?
Manage PaperMC Minecraft servers through safe, controlled interfaces. Use for server lifecycle management, backups, plugin operations, and health monitoring... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 354 次。
如何安装 PaperMC AI Operations?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install papermc-ai-ops」即可一键安装,无需额外配置。
PaperMC AI Operations 是免费的吗?
是的,PaperMC AI Operations 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
PaperMC AI Operations 支持哪些平台?
PaperMC AI Operations 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 PaperMC AI Operations?
由 Yan(@yanxi1024-git)开发并维护,当前版本 v2.0.1。
推荐 Skills