← 返回 Skills 市场
Pubblue
作者
Michael Nome
· GitHub ↗
· v5.1.2
611
总下载
0
收藏
0
当前安装
13
版本数
在 OpenClaw 中安装
/install pubblue
功能描述
Publish and visualize output via the pubblue CLI, with live P2P browser sessions.
安全使用建议
This skill appears to do what it says (publishing and live P2P visualization), but exercise caution before installing and running the external pubblue CLI: 1) There is no source or homepage included in the skill bundle — verify the npm package and its source repository (pub.blue / npm) before installing. 2) Installing via npm or using npx will execute third-party code; prefer inspecting the package source first or installing in a disposable/sandbox environment. 3) The CLI stores an API key in a config file under ~/.openclaw/pubblue by default and can access the agent workspace (OPENCLAW_WORKSPACE); to reduce risk, set PUBBLUE_CONFIG_DIR to a sandboxed directory and avoid placing secrets in shared workspaces. 4) Live mode establishes P2P/browser sessions — only use with trusted peers and in environments where outbound/inbound connections are acceptable. If you need higher assurance, ask the skill author for the CLI source repo or a signed release and audit the package before granting it any credentials or access.
功能分析
Type: OpenClaw Skill
Name: pubblue
Version: 5.1.2
The skill facilitates publishing agent output and establishing live P2P sessions via the pubblue CLI. It involves high-risk operations including global NPM package installation (pubblue@latest) and the execution of a background daemon (pubblue start) for P2P communication. While these capabilities are aligned with the stated purpose of real-time visualization, the requirement for persistent network connections and broad shell permissions (Bash, Read, Write) constitutes a significant attack surface without clear evidence of malicious intent.
能力评估
Purpose & Capability
Name/description (publish & live P2P visualization) match the runtime instructions: SKILL.md only describes using the pubblue CLI to create/list/update/delete pubs and run a daemon for live browser-initiated P2P sessions. Nothing in the instructions asks for unrelated credentials or capabilities. However, the skill provides no source/homepage and relies on an external npm package (pubblue) that is not included in the bundle — the provenance of that CLI is unknown.
Instruction Scope
The instructions tell the agent to install/run the pubblue CLI and to store an API key (via pubblue configure) in a config file under ~/.openclaw/pubblue/config.json (or a directory overridden by PUBBLUE_CONFIG_DIR). The daemon bridges into OPENCLAW_WORKSPACE by default, and live sessions establish P2P/browser connections. These behaviors are consistent with the feature set, but they also give the externally installed CLI potential access to agent workspace files and to networked peers. The SKILL.md also demonstrates reading local files (notes.md, /tmp/view.html) and describes consumptive reads — all reasonable for publishing but worth noting as data exposure vectors.
Install Mechanism
This is an instruction-only skill (no install spec). SKILL.md recommends installing pubblue via npm (npm i -g pubblue@latest) or using npx. That means code will be pulled from the public npm registry at runtime; the skill package itself doesn't contain or vet that code. Using npx can execute remote packages transiently, increasing the risk if the npm package is malicious or compromised.
Credentials
The manifest declares no required env vars or credentials, which is proportional. The runtime docs reference PUBBLUE_CONFIG_DIR and OPENCLAW_WORKSPACE env vars as overrides and instruct storing an API key in a config file. Requiring an API key for the pub.blue service is expected, but persisting that key under the agent workspace (default ~/.openclaw/...) or allowing the CLI to access workspace files increases the blast radius for accidental secret exposure.
Persistence & Privilege
The skill does not request always:true and does not declare system-wide installs itself. Autonomous invocation is allowed (platform default). The skill will persist an API key in its own config file by design, which is normal for a CLI client, but note the default config path is inside the agent's home (~/.openclaw), which could allow access to other agent artifacts if the CLI is compromised.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install pubblue - 安装完成后,直接呼叫该 Skill 的名称或使用
/pubblue触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v5.1.2
Auto-publish from commit ee5f248ff4d308eea7f1e1dc136b27bde54a2228
v5.1.1
Auto-publish from commit 0523641e980cdeba842f8ba6f39f99e0c41af65d
v5.0.0
Auto-publish from commit af1ce1a755d1d30dfd46bdc90e8b652854405379
v3.4.11
Auto-publish from commit ec237efefd9694ab4e9d08b12ece36d4a4959f7c
v3.4.10
Auto-publish from commit 84e5a20a2dc76708443a4752ca3097ccb32727d5
v3.4.7
Auto-publish from commit 47106272487cfdf0f61e1d86bec700ed8c9a440e
v3.4.5
Auto-publish from commit 7ac91d45e11f1fd1ede925a95d212af5fb414fda
v3.4.4
Auto-publish from commit d0101c9711df6b79fbc695c53b58ac5527fbaff4
v3.4.2
Auto-publish from commit 4bab451100c1e2489271bc05b998ec49d56959f9
v3.2.0
Auto-publish from commit 59a843010e5d26608ab59397eb0e3609e16ac0bc
v3.1.0
Auto-publish from commit 36b36fdafb355baa8f4bfb1c002bb545d5bea6b7
v3.0.0
Auto-publish from commit 51c87b4294665232633933d3f964107fbafde334
v2.0.0
Auto-publish from commit 3fed0b6a5e1e744a3e804eaf18cb94750fb3bf9c
元数据
常见问题
Pubblue 是什么?
Publish and visualize output via the pubblue CLI, with live P2P browser sessions. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 611 次。
如何安装 Pubblue?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install pubblue」即可一键安装,无需额外配置。
Pubblue 是免费的吗?
是的,Pubblue 完全免费(开源免费),可自由下载、安装和使用。
Pubblue 支持哪些平台?
Pubblue 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Pubblue?
由 Michael Nome(@xmanatee)开发并维护,当前版本 v5.1.2。
推荐 Skills