← 返回 Skills 市场
AI Persona Engine
作者
SPFAdvisors
· GitHub ↗
· v2.1.0
· MIT-0
144
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install persona-engine
功能描述
Create and customize AI personas with voice, face, personality, memory, and cross-platform behavior using an interactive wizard and safe update tools.
安全使用建议
This skill looks like a full-featured persona builder and includes many local scripts to generate persona files, voice/image config, and memory scaffolding — so it's plausible for its stated purpose. However: 1) the package metadata declares no required environment variables but the wizard and references clearly request multiple external API keys (ElevenLabs, Gemini/Google, xAI). Ask the author or inspect scripts to see where API keys are stored (plain text vs keyring) before entering secret keys. 2) The wizard auto-installs an 'agent-selfie' component and supports 'spontaneous' voice/image triggers; confirm what that component does and how unsolicited generations are triggered and stored. 3) The 'persona-fleet' feature implies cross-machine or network discovery — review persona-fleet.py to confirm whether it enumerates or contacts remote hosts and what credentials it needs. 4) If you plan to use real accounts or sensitive data, run the skill in a sandboxed environment or inspect/execute the scripts manually to verify they don’t transmit workspace contents or keys to external endpoints. Providing the contents of persona-create.sh, persona-fleet.py, and persona-export/import scripts (or a statement from the author about where keys are persisted and what auto-install does) would raise confidence and could move this assessment toward benign.
功能分析
Type: OpenClaw Skill
Name: persona-engine
Version: 2.1.0
The persona-engine skill bundle provides a robust framework for managing AI identities but contains a path traversal (ZipSlip) vulnerability in `scripts/persona-import.sh`. The import script extracts files from zip bundles without validating that the destination paths remain within the target workspace, potentially allowing a malicious bundle to overwrite sensitive files outside the intended directory. While the bundle demonstrates benign intent through features like automated API key stripping in `scripts/lib/config.py` and comprehensive documentation, the inclusion of this high-risk vulnerability necessitates a suspicious classification.
能力评估
Purpose & Capability
The code and docs align with the stated purpose (generating SOUL.md, USER.md, TTS/image config, memory scaffolding). However the SKILL metadata declares no required environment variables or credentials while the runtime instructions and config explicitly expect provider API keys (ElevenLabs, Gemini/Google, xAI/Grok). That mismatch is a coherence problem: the skill will ask for and use external service keys but does not declare them.
Instruction Scope
Runtime instructions direct the agent to read and write workspace files (~/.openclaw/workspace and openclaw.json), collect API keys interactively, generate and save reference images, and enable spontaneous voice/image triggers. The wizard also promises a 'persona-fleet' view across machines and an automatic install of an 'agent-selfie' skill — both of which broaden scope beyond a local generator and could involve network scanning or cross-system operations. These behaviors are not limited to the minimal task of generating persona files.
Install Mechanism
No install spec is declared (instruction-only), which lowers install-time risk. The package nonetheless contains many executable scripts that will be run locally when invoked. The SKILL.md references installing via 'clawhub' and auto-installing 'agent-selfie' during persona creation; how that auto-install is performed is not specified. Lack of an explicit, auditable install step for the auto-install behavior is a concern to verify before running.
Credentials
The skill declares no required env vars, yet the wizard and docs repeatedly request API keys for multiple external providers (ElevenLabs, Google Gemini, xAI/Grok). Requiring multiple unrelated provider credentials for a single persona tool is plausible, but the registry metadata should declare these. There's also a claim that exports 'exclude API keys' — unclear where keys are stored (openclaw.json, OS keyring, or plain text). This ambiguity increases the risk of accidental credential exposure.
Persistence & Privilege
always:false (good) and autonomous invocation is allowed by default. However the skill claims to auto-install another skill ('agent-selfie') and to enable spontaneous voice/image triggers that operate without explicit user prompts. Auto-installing other skills and enabling unsolicited behavior increases the attack surface and is not justified clearly in the documentation.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install persona-engine - 安装完成后,直接呼叫该 Skill 的名称或使用
/persona-engine触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.1.0
v2.1: persona preview, migration tool, personality blending, multi-agent fleet management, 8 community templates, voice audition, safe updates with diff, validate, dry-run. 50 files, 77 tests.
v2.0.0
v2: persona preview, migration tool, personality blending, multi-agent fleet management, 8 community templates, voice audition, safe updates with diff preview, validate & dry-run commands. 77 tests, zero external deps.
元数据
常见问题
AI Persona Engine 是什么?
Create and customize AI personas with voice, face, personality, memory, and cross-platform behavior using an interactive wizard and safe update tools. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 144 次。
如何安装 AI Persona Engine?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install persona-engine」即可一键安装,无需额外配置。
AI Persona Engine 是免费的吗?
是的,AI Persona Engine 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
AI Persona Engine 支持哪些平台?
AI Persona Engine 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 AI Persona Engine?
由 SPFAdvisors(@spfadvisors)开发并维护,当前版本 v2.1.0。
推荐 Skills