← 返回 Skills 市场

project-assistant

Name: project-assistant
Author: northcipher

作者 Northcipher · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

351

总下载

当前安装

版本数

在 OpenClaw 中安装

/install project-assistant

功能描述

项目初始化与智能分析工具。当用户要求初始化新项目、分析项目结构、项目问答时使用。触发词：初始化项目、init、分析项目、项目问答。

安全使用建议

Before installing or enabling this skill: 1) Inspect SKILL.md, scripts/feishu_doc_manager.py and scripts/analyzers/env_scanner.py to understand what data is read, logged, or transmitted. 2) Be cautious storing any API tokens or secrets: the skill stores config in config.json (cross-session) and supports Feishu tokens — only add tokens if you trust the code and destination. 3) If you plan to run it on sensitive repositories, run it in a sandbox or on a copy without secrets (or remove .env and credentials first). 4) Remove or review any unicode/control characters in SKILL.md (they could be a prompt-injection artifact). 5) If you need guarantees about data exfiltration, require explicit declarations of external endpoints and audit the network behavior of feishu_doc_manager before providing tokens. If you want me to, I can scan the specific files (feishu_doc_manager.py, env_scanner.py, qa_doc_manager.py) and summarize any external network calls, data serialization, or obvious secret-handling code.

功能分析

Type: OpenClaw Skill Name: project-assistant Version: 1.0.0 The bundle is a highly capable project analysis tool that includes several high-risk 'dual-use' features. Specifically, 'scripts/analyzers/env_scanner.py' is designed to scan the entire project for sensitive secrets, including OpenAI API keys, AWS credentials, and private keys, while 'scripts/analyzers/ipc_analyzer.py' maps out system-level communication interfaces. While these are framed as developer aids, they facilitate the aggregation of sensitive data. Additionally, multiple parsers (e.g., 'manifest_parser.py' and 'maven_parser.py') utilize the 'xml.etree.ElementTree' library, which is inherently vulnerable to XML External Entity (XXE) attacks. No evidence of intentional data exfiltration was found, but the combination of secret harvesting and vulnerable parsing logic warrants a suspicious classification.

能力评估

ℹ Purpose & Capability

Name/description align with the included code: the repo contains many Python scripts for detection, analyzers, QA document management and Feishu integration and the skill only requires python3. However README/SKILL.md mention Feishu tokens (feishu.doc_token, etc.) and cross-session config storage (config.json) but the skill's declared requirements list no environment variables — the feature is supported via stored config rather than explicit declared env vars. That's plausible but worth calling out because credentials may be stored in config.json rather than passed as env vars.

⚠ Instruction Scope

SKILL.md instructs the agent to scan a project directory, read and update .claude/project.md, run many local analyzers (detector, cache manager, qa_doc_manager, feishu_doc_manager, env_scanner, call-chain analyzer). Those analyzers can read arbitrary project files (including .env, config files, source) and the env_scanner module is present, which may detect/expose environment variables or secrets. SKILL.md also contains detected unicode-control-chars (prompt-injection) which could be an attempt to influence runtime behavior. The instructions do not explicitly warn users about scanning for secrets or external transmission of generated reports.

✓ Install Mechanism

No install spec (instruction-only) and required runtime is just python3. Code is provided with the skill (many Python scripts) and will be executed locally; there is no suspicious remote download/install mechanism in the manifest.

ℹ Credentials

The skill declares no required environment variables (good), but supports storing arbitrary configuration (config.json) and references Feishu integration in README/SKILL.md. Feishu tokens are referenced in docs (feishu.doc_token, etc.) and could be stored in config.json via the config_manager. The ability to store arbitrary custom keys (custom.*) means secrets could be persisted across sessions; this is functionally coherent but sensitive and not made explicit in the top-level requirements.

✓ Persistence & Privilege

always:false (normal). The skill persists configuration to config.json in its baseDir (documented) to enable cross-session settings. It does not request global system modifications or 'always' inclusion. However cross-session stored config can contain tokens/keys — the skill is allowed to persist data within its own directory.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install project-assistant
安装完成后，直接呼叫该 Skill 的名称或使用 /project-assistant 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of project-assistant. - Provides project initialization and intelligent Q&A support for 50+ project types. - Supports role-based analysis (architect, developer, manager, tester, DevOps). - Includes command system for config management, project init, Q&A docs, and Feishu integration. - Implements step-by-step flow: detect project, check docs, cache, search Q&A, answer, and document. - Modular structure with extensible guides and submodules. - Requires Python 3.6+ (Git and PyYAML optional).

元数据

Slug project-assistant

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题

project-assistant 是什么？

项目初始化与智能分析工具。当用户要求初始化新项目、分析项目结构、项目问答时使用。触发词：初始化项目、init、分析项目、项目问答。它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 351 次。

如何安装 project-assistant？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install project-assistant」即可一键安装，无需额外配置。

project-assistant 是免费的吗？

是的，project-assistant 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

project-assistant 支持哪些平台？

project-assistant 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 project-assistant？

由 Northcipher（@northcipher）开发并维护，当前版本 v1.0.0。