← 返回 Skills 市场
kiril-shturman

orchestration, telegram, cron

作者 Kiril-Shturman · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
203
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install pm-dev-orchestrator
功能描述
Orchestrate a PM bot and one or more Dev bots in a private Telegram group. Use to turn plain chat commands like "DEV skill install <slug>" and "DEV cron add...
安全使用建议
Before installing or running this skill, consider the following: - Metadata mismatch: The registry declares no required env vars, but SKILL.md requires GROUP_CHAT_ID, PM_FROM_ID and DEV_BOT_TOKEN and asks you to edit ~/.openclaw/openclaw.json. Treat DEV_BOT_TOKEN as a sensitive secret — the package should have declared it. - Trust boundary: This setup lets a trusted PM bot trigger local CLI commands (clawhub install/update, openclaw cron add/run). If PM_FROM_ID or group configuration is wrong or spoofed, an attacker could cause the Dev server to install arbitrary skills or run cron jobs. Only enable this in a private, well-controlled group and verify PM_FROM_ID carefully. - CLI outputs may leak secrets: The scaffold returns CLI stdout/stderr (truncated). Ensure clawhub/openclaw commands do not print secrets in outputs before forwarding replies into chat. - Review installed skills: clawhub install pulls and installs third-party skill code that will run on your server. Consider using an isolated environment or manual review process for newly installed skills. - Filesystem writes: The script writes temporary job JSON into the workspace and suggests editing openclaw config. Back up configs and ensure workspace path permissions are appropriate. - Use the included script only for testing: scripts/dev_executor.py is a scaffold that reads stdin or prints parse results; it does not itself integrate with Telegram APIs (intentionally). Integrate only via controlled wrappers and prefer OpenClaw's own gateway allowlist mechanism rather than running an always-on unreviewed daemon. If you want to proceed: ask the author to update the package metadata to declare the required credentials (mark DEV_BOT_TOKEN as primaryEnv), and consider performing an audit of any ClawHub packages you allow the Dev bot to install. If you want to be safer, run the Dev bot in an isolated VM/container and restrict network/volume access.
功能分析
Type: OpenClaw Skill Name: pm-dev-orchestrator Version: 1.0.0 The skill provides a remote administration interface for an OpenClaw instance via Telegram, allowing for skill installation and cron job management. While the implementation in `scripts/dev_executor.py` and the instructions in `SKILL.md` include safety measures such as Telegram ID allowlisting and restricted command sets, the capability to remotely install code and manage system persistence (cron) is inherently high-risk. The script uses `subprocess.run` safely to avoid shell injection, but the overall functionality constitutes a powerful remote control mechanism that could be abused if the upstream 'PM bot' is compromised.
能力评估
Purpose & Capability
The SKILL.md and scripts implement a Dev-bot executor for Telegram commands (skill and cron management) which aligns with the skill name/description. However the registry lists no required env vars/configs while SKILL.md clearly requires GROUP_CHAT_ID, PM_FROM_ID and DEV_BOT_TOKEN and also instructs edits to ~/.openclaw/openclaw.json and restarting the gateway — a metadata vs. runtime-config mismatch that should have been declared.
Instruction Scope
Instructions are narrowly scoped to reading Telegram group messages, allowlisting the PM sender, and invoking local CLIs (clawhub, openclaw cron). That matches the stated purpose. Caveats: the runtime will execute local CLI commands (which may install/modify code on disk) and capture CLI output (the script truncates and emits CLI output back as chat replies), so CLI outputs could inadvertently reveal secrets or sensitive information unless operators ensure CLI behavior is safe.
Install Mechanism
No install spec — instruction-only plus a small scaffold script. Nothing is downloaded from external URLs or installed automatically by the skill package itself, so there is no immediate supply-chain install risk from this bundle.
Credentials
The SKILL.md demands a Telegram bot token (DEV_BOT_TOKEN) and numeric IDs (GROUP_CHAT_ID, PM_FROM_ID) and suggests writing to ~/.openclaw/openclaw.json; yet the registry metadata declares no required env vars or config paths. DEV_BOT_TOKEN is a sensitive credential and should have been declared as primaryEnv. The script also optionally uses OPENCLAW_WORKSPACE and writes a temp JSON file into the workspace — these filesystem accesses are proportional to the task but should be explicitly declared.
Persistence & Privilege
The skill does not request 'always: true' and does not attempt to alter other skills' configs. It instructs editing the OpenClaw gateway config (~/ .openclaw/openclaw.json) which is appropriate for enabling Telegram allowlisting but is a privileged operation and should be performed carefully. Autonomous invocation of commands is part of intended behavior when the Dev bot is configured to run CLI actions.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install pm-dev-orchestrator
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /pm-dev-orchestrator 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
pm-dev-orchestrator v1.0.0 - Initial release enabling orchestration between a PM bot and Dev bot in a private Telegram group. - Supports structured commands to manage ClawHub skills and OpenClaw cron jobs via chat. - Implements strict command parsing and safety rules to prevent unauthorized actions. - Provides clear configuration and behavioral contracts to ensure secure execution. - Includes a scaffold script for command parsing and local execution on the Dev side.
元数据
Slug pm-dev-orchestrator
版本 1.0.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

orchestration, telegram, cron 是什么?

Orchestrate a PM bot and one or more Dev bots in a private Telegram group. Use to turn plain chat commands like "DEV skill install <slug>" and "DEV cron add... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 203 次。

如何安装 orchestration, telegram, cron?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install pm-dev-orchestrator」即可一键安装,无需额外配置。

orchestration, telegram, cron 是免费的吗?

是的,orchestration, telegram, cron 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

orchestration, telegram, cron 支持哪些平台?

orchestration, telegram, cron 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 orchestration, telegram, cron?

由 Kiril-Shturman(@kiril-shturman)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论