← 返回 Skills 市场
334
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install runtime-debugging-skill
功能描述
Diagnose and fix bugs using runtime execution traces. Use when debugging errors, analyzing failures, or finding root causes in Python, Node.js, or Java appli...
安全使用建议
Key things to consider before installing or following these instructions:
- Source verification: There is no homepage or clear publisher provenance. Verify the upstream project/repo (Syncause) and its maintainers before running any installers.
- Don’t run remote installers blindly: Inspect any shell script downloaded via curl|bash and review the contents of packages pulled by npx/@syncause and the wheel URL before executing or adding them to your project.
- Avoid global config edits unless you understand them: The MCP install docs propose writing to many project and global IDE files (~/.vscode, ~/.claude, ~/.codex, etc.). Prefer project-level, reviewable changes and avoid modifying global user configs without consent.
- Secrets handling: The docs show placing API_KEY and other tokens into configs and even include hard-coded tokens in the Java example. Do not commit secrets into repo files. Ask the author why example tokens are present and replace with secure secret storage (env vars, secret managers) and ensure tokens are rotated if they were ever published.
- Prefer pinned versions and reproducible installs: Unpinned 'latest' npx installs and curl|bash patterns are risky. Ask for SHA-verified releases or package-versioned installs instead.
- Code modifications: The skill instructs injecting initialization code into entrypoints and generating a manual installation patch (with advice to avoid git diff). This is unusual; insist on clear diffs and code-reviewable commits so changes are auditable and reversible.
If you decide to proceed for testing, do so in an isolated environment (ephemeral VM/container) and audit the downloaded artifacts first. If you can, request the publisher to declare required env vars and provide verifiable release artifacts (GitHub repo + signed release, or published packages with pinned versions) and remove any hard-coded tokens from documentation.
功能分析
Type: OpenClaw Skill
Name: runtime-debugging-skill
Version: 0.1.0
The skill bundle is classified as suspicious due to several high-risk security practices and invasive requirements. It instructs the agent to install a 'Syncause SDK' using insecure methods, including a 'curl | bash' command in 'references/install/nodejs.md' and the use of hardcoded GitHub Personal Access Tokens (PATs) in 'references/install/java.md' to access private repositories. The SDK utilizes bytecode manipulation and runtime tracing to send application data to a remote websocket (wss://api.syn-cause.com). While these capabilities are framed as debugging features, the combination of hardcoded credentials, remote script execution, and instructions in 'SKILL.md' to manipulate the agent's reporting behavior presents a significant security risk and potential for abuse.
能力评估
Purpose & Capability
The skill is clearly an instrumentation-based debugger: it instructs adding an SDK, instrumenting application entry points, and running an MCP debug server to collect traces — which is coherent with the stated purpose. However, the installation guidance requires modifying many project and global editor config files (VSCode, Claude, Codex, Gemini, various dotfiles) and running remote installers, which is broader than a minimal debugger and may be unnecessary for many users. Additionally, the Java guide embeds what look like GitHub package tokens directly in the example pom.xml — a disproportionate and suspicious artifact for a simple debug helper.
Instruction Scope
The SKILL.md and reference guides instruct the agent (or user) to: edit project entrypoints to inject init code, create test files and helper scripts, add persistent MCP server config to multiple global/project-level IDE settings, and run reproduction scripts. They also instruct to stop on 'Unauthorized' and configure API_KEY, but the skill metadata declares no required env vars. The guidance to avoid using 'git diff' and instead generate an .syncause/installation.patch manually is unusual and could be used to hide or obscure changes. Overall the instructions allow broad file edits and persistent config changes beyond ephemeral debugging, and they advocate executing remote scripts and packages.
Install Mechanism
There is no packaged install spec in the skill bundle, but the referenced install docs instruct running remote installers: curl|bash from raw.githubusercontent.com, npx -y @syncause/debug-mcp@latest, and adding a Python wheel URL hosted on GitHub releases. curl|bash and unpinned 'npx -y ...@latest' are high-risk (remote code fetched and executed without content review or version pinning). The Java instructions include configuring a GitHub Packages repository with what appear to be embedded tokens. These mechanisms are legitimate for some SDKs, but given their unpinned, remote-execution nature they are high risk.
Credentials
The skill metadata declares no required environment variables or credentials, yet the instructions repeatedly require an API_KEY, projectId, and appName; the MCP login mode shows placing API_KEY into mcp server configs. Worse, the Java guide contains two hard-coded-looking tokens (syncause.repo.token.p1/p2) embedded in sample pom.xml properties. This mismatch (no declared env vars vs many secret-bearing placeholders and example tokens) is a significant proportionality concern.
Persistence & Privilege
The skill is not marked always:true and is user-invocable only, which is appropriate. However, the instructions require persistent changes: adding SDK initialization to application entrypoints, adding MCP server definitions to various global and project IDE settings, and recommending creation of a .syncause folder/installation.patch. Those persistent modifications increase long-term privilege and attack surface (the MCP server runs via npx and may persist in editor configs). This is not automatically malicious but is more invasive than a transient debugging helper.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install runtime-debugging-skill - 安装完成后,直接呼叫该 Skill 的名称或使用
/runtime-debugging-skill触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
syncause-debugger v0.1.0
- Initial release of Syncause Debugger skill for diagnosing bugs using runtime execution traces in Python, Node.js, and Java applications.
- Includes a structured 4-phase debugging workflow: Setup, Analyze, Summary, and Teardown.
- Provides detailed steps and checks for project/server setup, SDK installation, bug reproduction hierarchy, and test script best practices.
- Introduces runtime trace verification checklists and a "Reproduction Quality Gate" before analysis.
- Documents recommended usage of MCP tools for trace search, inspection, and diffing.
- Emphasizes evidence-based reasoning by attributing findings to live trace data.
元数据
常见问题
Runtime Debugging Skill 是什么?
Diagnose and fix bugs using runtime execution traces. Use when debugging errors, analyzing failures, or finding root causes in Python, Node.js, or Java appli... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 334 次。
如何安装 Runtime Debugging Skill?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install runtime-debugging-skill」即可一键安装,无需额外配置。
Runtime Debugging Skill 是免费的吗?
是的,Runtime Debugging Skill 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Runtime Debugging Skill 支持哪些平台?
Runtime Debugging Skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Runtime Debugging Skill?
由 dxsup(@dxsup)开发并维护,当前版本 v0.1.0。
推荐 Skills