← 返回 Skills 市场
turinfohlen

Path-Dispatch

作者 TurinFohlen · GitHub ↗ · v1.0.4 · MIT-0
cross-platform ⚠ suspicious
72
总下载
0
收藏
0
当前安装
5
版本数
在 OpenClaw 中安装
/install path-dispatch
功能描述
Discrete Hamiltonian task dispatch for multi-hop workflows. Maps task dependencies as a graph, precomputes reachability matrices, and solves constrained path...
安全使用建议
This skill appears to do what it claims, but exercise caution before running it. Specific recommendations: - Review the included scripts/dispatch.py yourself (or in a sandbox) before executing. The code uses pickle to save/load a .cache file (filepath.cache). Unpickling attacker-controlled files can run arbitrary code; only use caches you created/trust. - If you will run this on untrusted triples files or in shared directories, set PATH_DISPATCH_NO_CACHE=1 to disable caching (SKILL.md documents this) or ensure cache files are access-controlled and created only by you. - The package requires numpy and scipy.sparse (requirements.txt) but no install mechanism is provided; install these dependencies in a controlled environment (virtualenv/container) prior to use. - Prefer running the script in an isolated environment (container/VM) until you validate its behavior and outputs. - If you plan to let an agent invoke this skill autonomously, consider restricting which input file paths the agent can pass to it, to avoid the agent pointing the script at unexpected files or attacker-controlled cache files. If you want, I can: (a) point out the exact lines to change to replace pickle with a safe serialization format, (b) produce a minimal install spec (pip) to include dependencies, or (c) produce a sandboxed wrapper that validates cache contents before unpickling.
功能分析
Type: OpenClaw Skill Name: path-dispatch Version: 1.0.4 The skill implements a graph-based task dispatcher using a custom triple format. The primary security concern is the use of 'pickle.load()' in 'scripts/dispatch.py' to load cached graph data from a file. This creates a Remote Code Execution (RCE) vulnerability if an attacker can place a malicious '.cache' file in the working directory. While 'SKILL.md' includes a security note warning about this behavior and provides a method to disable it (PATH_DISPATCH_NO_CACHE=1), the inclusion of inherently unsafe deserialization logic for a caching feature is a high-risk vulnerability.
能力评估
Purpose & Capability
Name/description, SKILL.md, and the included Python code are coherent: the script parses triple-formatted workflow files, builds a normalized graph with virtual nodes, precomputes reachability, and provides matrix/path/query/deps commands matching the stated purpose.
Instruction Scope
Instructions only tell the agent to run the provided CLI (python dispatch.py <file> ...). They operate on user-supplied triples files and create/read a local cache file (filepath.cache). No instructions attempt to read unrelated system credentials or exfiltrate data, but the script will open arbitrary files the agent points it at (the intended triples file and its .cache).
Install Mechanism
This is an 'instruction-only' skill with bundled Python code and a requirements.txt listing numpy and scipy.sparse but no install spec. There's no declared mechanism for installing dependencies, so the runtime may fail or an installer step (not specified) might be needed — the missing install spec is a deployment/runtime inconsistency.
Credentials
No required credentials are requested (ok). SKILL.md documents an optional env var PATH_DISPATCH_NO_CACHE to disable caching — the registry didn't list any env variables, which is acceptable for optional flags but is an inconsistency to note. More importantly, the script loads and saves a pickle-based cache (filepath.cache) using pickle.load/pickle.dump which can execute arbitrary code if that cache file is attacker-controlled; allowing the agent to read or accept cache files from untrusted locations is a real risk.
Persistence & Privilege
always:false and no system-wide configuration changes are requested (ok). The skill writes per-workflow cache files (filepath.cache) in the same directory as the triples file — this is expected for caching but increases risk surface because those files are untrusted input to pickle on subsequent runs.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install path-dispatch
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /path-dispatch 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.4
- Added backup metadata file `_meta.json.bak` for the skill. - Updated environment variable configuration: removed 不存在的 `PATH_DISPATCH_PICKLE_CACHE` in SKILL.md.
v1.0.3
- Added documentation for environment variables: `PATH_DISPATCH_NO_CACHE` and `PATH_DISPATCH_PICKLE_CACHE`. - No functional code changes; documentation and metadata update only.
v1.0.2
No changes detected in code or documentation for version 1.0.2. - 增加了安全提示。规避莫名其妙不知所谓的审核。天哪,谁会去故意乱读二进制文件呢,这根本就没有在设计内。 - All features and behaviors remain the same as the previous release.
v1.0.1
- Major refactor: All logic is now contained in a new scripts/dispatch.py module, replacing the previous dispatch.py root file. - Added requirements.txt for explicit dependency declaration. - Removed sample documentation files (example_binary.md, example_hyperedge.md) from the codebase. - Added package structure with scripts/__init__.py. - SKILL.md updated to clarify script usage, caching, and to increase documented task sequence scale (now 10-1000+ steps).
v1.0.0
Initial release of path-dispatch, a skill for Hamiltonian task dispatch in multi-hop workflows. - Maps task dependencies as a graph and precomputes reachability matrices for efficient decision-making. - Supports complex workflows with 10–100+ steps, allowing LLMs to sequence tasks without losing intermediate state. - Handles hyperedges (multi-source/multi-target tasks) via virtual node normalization, enabling parallel dispatch. - Provides efficient `next_hops` queries to determine valid next steps within a given step budget, preventing dead ends. - Command-line interface for graph building, path finding, and dependency querying, with support for markdown triple input format.
元数据
Slug path-dispatch
版本 1.0.4
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 5
常见问题

Path-Dispatch 是什么?

Discrete Hamiltonian task dispatch for multi-hop workflows. Maps task dependencies as a graph, precomputes reachability matrices, and solves constrained path... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 72 次。

如何安装 Path-Dispatch?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install path-dispatch」即可一键安装,无需额外配置。

Path-Dispatch 是免费的吗?

是的,Path-Dispatch 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Path-Dispatch 支持哪些平台?

Path-Dispatch 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Path-Dispatch?

由 TurinFohlen(@turinfohlen)开发并维护,当前版本 v1.0.4。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论