← 返回 Skills 市场
AI 项目评估助手
作者
antonia huang
· GitHub ↗
· v1.0.0
· MIT-0
434
总下载
0
收藏
2
当前安装
1
版本数
在 OpenClaw 中安装
/install project-evaluator
功能描述
描述一个项目想法,AI 从市场/技术/商业/风险四个维度系统评估, 输出评估报告、竞品速查、MVP建议,帮你决策「值不值得做」。
安全使用建议
This skill runs a local Python script that sends your project text and a Bearer API key to an LLM HTTP endpoint (default: https://api.deepseek.com). Before installing or using it: (1) Inspect the code (you already have it) and confirm you trust the API_BASE domain. (2) Do not set your production OPENAI_API_KEY unless you intend that key to be sent to the configured API_BASE; prefer creating a dedicated key for this tool or set API_BASE to your trusted provider. (3) Update or ask the publisher to include the required env vars (OPENAI_API_KEY/DEEPSEEK_API_KEY) in the skill metadata so users are not surprised. (4) If unsure about the endpoint, run the script in a sandboxed environment or monitor outbound network calls. These mismatches (undocumented required creds and an unfamiliar default API host) are why this is rated 'suspicious' rather than 'benign.'
功能分析
Type: OpenClaw Skill
Name: project-evaluator
Version: 1.0.0
The skill is designed to evaluate project ideas using an LLM, but it contains significant security vulnerabilities. The `SKILL.md` file provides an `exec` command template that is vulnerable to shell injection because it passes user-provided project descriptions directly into a shell command via the `--idea` flag. Additionally, `scripts/evaluate_project.py` allows writing output to arbitrary file paths provided by the user, which could lead to unauthorized file overwrites. While the logic appears intended for its stated purpose, these flaws represent a high risk of remote code execution and system compromise.
能力评估
Purpose & Capability
The code and SKILL.md align with the stated purpose: they call an LLM to generate an evaluation report. However, the skill metadata declares no required environment variables or primary credential while both the README and the script expect an API key (OPENAI_API_KEY or DEEPSEEK_API_KEY). That omission is an incoherence that can mislead users about what secrets are needed.
Instruction Scope
SKILL.md instructs running the included script; the script only takes the idea/context and writes an output file. It does not read unrelated local files. But the script reads environment variables for API credentials and an API base URL — the SKILL.md does not explicitly warn that you'll need to provide an API key or that the key will be sent to the configured API_BASE.
Install Mechanism
No install spec and only a small Python script are included. There is no network installer or archive download. Risk from installation is low.
Credentials
The script requires an LLM API key (OPENAI_API_KEY or DEEPSEEK_API_KEY) and will send it as a Bearer token to API_BASE. The skill metadata does not declare this required credential (primaryEnv none). Additionally, the default API_BASE is https://api.deepseek.com — an unfamiliar third-party domain. If a user sets OPENAI_API_KEY expecting requests to OpenAI, that key would be sent to deepseek.com unless API_BASE is changed, which could leak credentials to an unexpected endpoint.
Persistence & Privilege
The skill has no 'always' privilege and does not request persistent system-wide configuration. It does not modify other skills or system settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install project-evaluator - 安装完成后,直接呼叫该 Skill 的名称或使用
/project-evaluator触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
初版发布
元数据
常见问题
AI 项目评估助手 是什么?
描述一个项目想法,AI 从市场/技术/商业/风险四个维度系统评估, 输出评估报告、竞品速查、MVP建议,帮你决策「值不值得做」。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 434 次。
如何安装 AI 项目评估助手?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install project-evaluator」即可一键安装,无需额外配置。
AI 项目评估助手 是免费的吗?
是的,AI 项目评估助手 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
AI 项目评估助手 支持哪些平台?
AI 项目评估助手 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 AI 项目评估助手?
由 antonia huang(@antonia-sz)开发并维护,当前版本 v1.0.0。
推荐 Skills