← 返回 Skills 市场
Reliability Evidence Pack
作者
ChristineOpenclaw
· GitHub ↗
· v2.0.2
349
总下载
0
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install reliability-evidence-pack
功能描述
Provides tools to record, validate, and report agent operational reliability artifacts using standardized schemas for consistent monitoring and compliance.
安全使用建议
This package appears to do what it says: local collection, schema validation, and bundle generation for reliability artifacts. Before installing or running it: 1) Inspect the large scripts (scripts/rep.mjs, scripts/rep-validate.mjs, scripts/rep-heartbeat-cron.mjs, and github-action/entrypoint.sh) for any network calls or unexpected execs. 2) Configure REP_ARTIFACTS_PATH to an isolated, access-controlled directory and add it to .gitignore. 3) Never place private signing keys in the artifacts directory — use an external KMS/vault. 4) Prefer running the cron/heartbeat scripts in a container or unprivileged account first, and review the GitHub Action entrypoint before adding to CI. 5) If you do not want autonomous agent invocation, disable model invocation for this skill in your agent settings. If you want, I can scan the full contents of rep.mjs and rep-validate.mjs for network/system calls and highlight any lines of concern.
功能分析
Package: (xpi)
Version:
Description: REP v1.0 demonstration bundle with mixed artifact types showcasing chain integrity, content hashing, and reliability evidence collection.
The package implements a 'Reliability Evidence Pack (REP)' system designed for structured logging, validation, and auditing of agent operational data. The core logic, primarily in Node.js scripts, focuses on generating, storing, and verifying artifacts related to agent decisions, performance, health, and incidents. Key functionalities include local file system operations (reading/writing JSONL files to configurable paths), cryptographic hashing (SHA256) for artifact integrity and chain-of-custody, and comprehensive validation of artifact schemas and inter-artifact references.
System information (e.g., CPU, memory, uptime, hostname, PID) is collected by specific scripts (e.g., `rep-heartbeat-cron.mjs`, `rep-performance-baseline.mjs`) but is logged locally as part of the reliability monitoring, not exfiltrated. The `rep.mjs serve` command initiates a local HTTP server to expose bundle statistics and artifacts, which includes `Access-Control-Allow-Origin: '*'`. While this could pose an information disclosure risk if exposed publicly without authentication, the project's documentation explicitly addresses this, warning about sensitive data in artifacts and recommending access control, indicating an intended use for local or controlled internal environments. No outbound network connections for data exfiltration or command-and-control are observed. External command execution is limited to controlled invocations of local scripts or package managers within a GitHub Action context.
The project includes extensive documentation that clearly outlines its purpose, usage, and security considerations, reinforcing its legitimate intent. There is no evidence of obfuscation, arbitrary code execution, or other malicious behaviors. The non-functional nature of `cli/bin/cli.js` is a functional discrepancy, not a security vulnerability.
能力评估
Purpose & Capability
Name/description (Reliability Evidence Pack) match the delivered artifacts: JSON schemas, CLI, validation scripts, cron helpers, examples, and CI integration. Requested capabilities (file read/write, process execute, Node runtime) are appropriate for building local artifact capture/validation tooling.
Instruction Scope
SKILL.md instructions stay within the stated purpose (run Node scripts, write to configurable artifacts dir, run local GitHub Action). However examples and quickstart include absolute user workspace paths and sample commands that read/write user files (e.g., /home/.../.openclaw/workspace, USER.md). These are expected for a logging/audit pack but are sensitive: follow the SKILL.md guidance to isolate REP_ARTIFACTS_PATH and add artifact paths to .gitignore. Also SKILL.md claims all scripts operate locally with no telemetry — you should still inspect larger scripts (rep.mjs, rep-validate.mjs, and github-action/entrypoint.sh) before use to confirm no unexpected network calls.
Install Mechanism
There is no automated install spec in the registry (instruction-only), which is lower intrinsic risk. The bundle includes a CLI with a package.json; following the documented 'npm install -g' will pull dependencies from the public npm registry (chalk, commander). That is normal but means you will download external packages at install time; installing and running the scripts will write files to disk. The bundle does not include downloads from arbitrary URLs in the SKILL.md.
Credentials
The skill declares no required credentials and only a small set of optional environment variables for artifact and schema paths and log file location. That is proportional to its function. The SPEC mentions artifact signing fields but key management is operator-defined and the SKILL.md explicitly warns not to store private keys in artifacts.
Persistence & Privilege
Registry-level flags provided earlier indicate the skill can be invoked autonomously (disable-model-invocation: false), while the included _meta.json lists 'autonomous_invocation': false — a minor inconsistency. The skill does not request always:true or system-level privileges. Because the skill can be executed autonomously by agents (platform default), consider whether you want the agent to run validation/heartbeat cron scripts without human review.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install reliability-evidence-pack - 安装完成后,直接呼叫该 Skill 的名称或使用
/reliability-evidence-pack触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.0.2
Version 2.0.2
- Expanded "Security Considerations" in SKILL.md with detailed guidance on data handling, signing keys, CI use, and local execution.
- Added best practices and mitigation steps for sensitive artifacts.
- No changes to core logic or scripts. Documentation and metadata update only.
v2.0.1
- Updated Node.js requirement from v14 to v16 or higher in documentation.
- Clarified the required Node.js version for runtime scripts in the "Required Binaries" section.
- No changes to core functionality or interfaces.
v2.0.0
Version 2.0.0
Major update with new CLI, validation scripts, schema coverage, and expanded examples.
- Added full CLI package for command-line use (see cli/).
- Introduced GitHub Action for CI/CD automation (see github-action/).
- Expanded and formalized artifact schemas (see schemas/).
- New core scripts for heartbeat tracking, near-miss events, bundle generation, and validation.
- Provided extensive real-world examples and workflow integrations.
- Removed legacy files; overhauled and expanded documentation.
v1.0.0-rc.1
Initial release candidate introducing core functionality:
- Provides standardized schemas for key reliability artifacts (heartbeats, decisions, context, handoffs, near-misses).
- Includes a validation engine for schema compliance.
- Enables compliance reporting and reliability metric tracking.
- Ready for integration with cron jobs, subagents, and CI/CD pipelines.
- Offers easy CLI commands for validation, initialization, and strict checks.
- Comprehensive documentation and setup guides included.
元数据
常见问题
Reliability Evidence Pack 是什么?
Provides tools to record, validate, and report agent operational reliability artifacts using standardized schemas for consistent monitoring and compliance. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 349 次。
如何安装 Reliability Evidence Pack?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install reliability-evidence-pack」即可一键安装,无需额外配置。
Reliability Evidence Pack 是免费的吗?
是的,Reliability Evidence Pack 完全免费(开源免费),可自由下载、安装和使用。
Reliability Evidence Pack 支持哪些平台?
Reliability Evidence Pack 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Reliability Evidence Pack?
由 ChristineOpenclaw(@christineopenclaw)开发并维护,当前版本 v2.0.2。
推荐 Skills