← 返回 Skills 市场
pallaoro

Rule Spec

作者 Ric · GitHub ↗ · v1.0.7 · MIT-0
cross-platform ⚠ suspicious
113
总下载
0
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install rulespec
功能描述
Define, manage, and compile business rules as structured YAML data into LLM-ready prompts and agent-loadable SKILL.md files. Use when the user wants to creat...
安全使用建议
This skill appears to do what it says, but exercise caution before running it. Key steps to reduce risk: - Verify the npm package: find the official rulespec package name, publisher, repository URL, and a release tag/commit. Do not run npx against an unknown package without inspection. - Prefer a pinned, audited install (add an explicit install spec or vendor the code) rather than 'npx' dynamic fetches. - Inspect the rulespec code (or its GitHub release) for any file I/O behavior, path handling, and network calls. - Run first in an isolated environment (container or VM) and with a non-privileged account. Back up your skills/ directory before using emit. - Avoid running this skill autonomously on an agent with wide filesystem privileges; restrict which paths it can read/write and validate any domain/outdir values to prevent overwrites or path traversal. - If you need to allow the CLI to read example files, limit inputs to non-sensitive test data and avoid passing system paths (e.g., do not pass /etc, home, or application config files). If you can obtain the package repository or a signed release, re-run this evaluation with that information — it would raise confidence and likely move the verdict toward benign if the source is legitimate and reviewed.
功能分析
Type: OpenClaw Skill Name: rulespec Version: 1.0.7 The skill bundle provides a CLI-based workflow for managing business rules using the `rulespec` package via `npx`. It includes high-risk capabilities such as reading arbitrary files (via the `--input` flag in `add-example`) and writing to arbitrary directories (via the `--outdir` flag in `emit`), which could be exploited for data exfiltration or unauthorized file system modification. While these features are aligned with the stated purpose of rule management and compilation, the lack of path sanitization and the reliance on external code execution via `npx` constitute significant security risks in an agentic context.
能力评估
Purpose & Capability
Name/description align with the CLI-based workflow documented in SKILL.md: defining rules in rulespec.yaml, validating, compiling, and emitting SKILL.md files. There are no unrelated declared env vars or binaries.
Instruction Scope
The SKILL.md instructs callers to run 'npx rulespec' and to supply arbitrary file paths for inputs/outputs and --file. That means the tool will read arbitrary local files (including PDFs/JSON) and write emitted SKILL.md files to a default path (skills/{domain}/SKILL.md). Those behaviors are plausible for a rules management CLI but also allow reading sensitive local files and overwriting skill files if misused. The instructions give broad discretion (file paths, outdir) without describing path validation or safeguards.
Install Mechanism
No formal install spec is provided in the registry, but the SKILL.md explicitly recommends using 'npx rulespec' which will download and run a package from the npm registry at runtime. Relying on npx to fetch remote code each time increases risk (supply-chain or trojaned package). The registry does not include a pinned package name, source URL, checksum, or a vetted install mechanism.
Credentials
The skill declares no required environment variables or credentials (proportionate). However, runtime usage accepts arbitrary file paths and emits files to the local filesystem, which can expose or modify sensitive data even without declared env secrets.
Persistence & Privilege
always:false (good), but the workflow writes generated SKILL.md files to skills/{domain}/SKILL.md (and supports custom outdir). That can overwrite existing skills or other files under the skills directory if domains/outdirs aren't constrained. The skill does not declare safeguards against accidental/hostile overwrites or path traversal.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install rulespec
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /rulespec 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.7
- Renamed the examples field from description to note for global examples, updating all related CLI commands (now use --note instead of --description). - Added a new Programmatic usage section demonstrating how to load and inject rules at runtime via TypeScript. - No functional logic or CLI changes; documentation and field naming only.
v1.0.6
- Adds rule-specific example management: new CLI commands for adding/removing examples tied to individual rules. - Expands example input/output support: now accepts inline JSON, JSON file paths, and other file types (e.g., PDFs). - Clarifies difference between global and rule-specific examples in documentation. - Improves documentation and onboarding with an added summary, clearer sectioning, and more usage examples. - No changes to code files in this release; this update is documentation-focused.
v1.0.5
- Expanded skill description to cover more business rule management use cases and trigger phrases. - Added new CLI commands for editing rules, managing sources and examples, and performing find-and-replace with validation. - Clarified CLI-driven workflow and allowed manual editing of rulespec.yaml for advanced cases (with validation). - Detailed command usage examples for each step, including setup, editing, and emission. - Emphasized principles of safe editing, schema validation, and secure handling of sensitive/example data.
v1.0.4
- Initial release of the rulespec skill for managing business rules as structured data. - Introduces a CLI for creating, editing, validating, compiling, and emitting business rules and SKILL.md files. - Enforces a workflow that always uses the CLI to maintain validation and sync between source files and output. - Supports rule intents (enforce/inform/suggest), sources, and testable examples. - Outputs SKILL.md files with YAML frontmatter and intent-tagged rules for agent use.
元数据
Slug rulespec
版本 1.0.7
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 4
常见问题

Rule Spec 是什么?

Define, manage, and compile business rules as structured YAML data into LLM-ready prompts and agent-loadable SKILL.md files. Use when the user wants to creat... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 113 次。

如何安装 Rule Spec?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install rulespec」即可一键安装,无需额外配置。

Rule Spec 是免费的吗?

是的,Rule Spec 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Rule Spec 支持哪些平台?

Rule Spec 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Rule Spec?

由 Ric(@pallaoro)开发并维护,当前版本 v1.0.7。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论