← 返回 Skills 市场
612
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install rush-find-skills
功能描述
Helps users discover and install agent skills when they ask questions like "how do I do X", "find a skill for X", "is there a skill that can...", or express...
安全使用建议
This skill is coherent with a 'find and install skills' purpose, but check a few things before installing or running it: 1) Verify the registry — the SKILL.md defaults to https://rush.zhenguanyu.com (a third-party registry). If you don't trust that host, override the registry explicitly or refuse installs from it. 2) Be cautious about using npx or installing reskill globally: those commands will fetch and execute remote code. Prefer reviewing the reskill project source and the specific skill package before installation. 3) Note the metadata mismatches (SKILL.md name/version/author differ from the registry metadata) and the undeclared RESKILL_REGISTRY env var — ask the publisher to clarify. 4) Ensure the agent asks for your explicit approval before any install (the doc says it should, but verify behavior). If you need higher assurance, test searches without installing, or run reskill commands yourself in an isolated environment and inspect any candidate skill code before installation.
功能分析
Type: OpenClaw Skill
Name: rush-find-skills
Version: 0.3.2
The skill is classified as suspicious due to its explicit instructions for the AI agent to perform high-risk operations, including direct shell command execution (`npm`, `npx`, `which`, `reskill`, `mkdir`, `echo`), reading environment variables (`RESKILL_REGISTRY`), and scanning the file system for configuration files (`skills.json`) and agent directories (`.cursor/`, `.claude/`). While these actions are presented as necessary for the stated purpose of finding and installing skills via the `reskill` package manager, they introduce a significant attack surface. A lack of robust input sanitization by the agent when constructing commands from user input or discovered data could lead to shell injection or unauthorized file access, even though the `SKILL.md` itself does not instruct malicious intent.
能力评估
Purpose & Capability
The SKILL.md behavior (searching and installing skills via the reskill CLI) aligns with the declared purpose (finding/installing skills). However there are small inconsistencies: the SKILL.md top-level name/version/author (clawdhub-find-skills, v0.4.0, author=reskill) does not match the registry metadata (owner: kn7..., slug: rush-find-skills, version 0.3.2). These mismatches could indicate stale or copied documentation or sloppy packaging and should be verified.
Instruction Scope
The instructions tell the agent to run the reskill CLI (or fall back to npx reskill@latest) and to consult RESKILL_REGISTRY and defaults.publishRegistry in skills.json. The skill metadata declares no required environment variables, yet the doc expects RESKILL_REGISTRY to be used if present — this is an undeclared environment access. The SKILL.md otherwise follows a narrow workflow (search → present → ask → install) and explicitly recommends asking user consent before installing.
Install Mechanism
This is an instruction-only skill (no install spec). It recommends installing/using an external package (reskill) and falling back to npx, which will download and run remote code from a registry. That behavior is expected for a package-manager-style skill, but the doc's default registry is a third-party URL (https://rush.zhenguanyu.com) rather than a well-known, broadly-trusted host — this raises a supply-chain risk because installed skills come from that registry.
Credentials
The skill requests no credentials or sensitive env vars in its metadata, which is proportionate. However SKILL.md references RESKILL_REGISTRY (an env var) and defaults.publishRegistry in skills.json without declaring them as required; this discrepancy should be clarified. No other sensitive system paths or credentials are requested.
Persistence & Privilege
The skill does not request persistent presence (always:false), does not modify other skills or system-wide settings in the instructions, and relies on user consent before installing other skills. Autonomous invocation is allowed by platform default but is not combined with high privileges here.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install rush-find-skills - 安装完成后,直接呼叫该 Skill 的名称或使用
/rush-find-skills触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.3.2
- Expanded documentation on trust and security; clarified why the Rush registry is used by default and how registry selection works.
- Added instructions to prefer globally installed `reskill` CLI, falling back to `npx` only if needed.
- Improved and streamlined guidance on resolving registries and command examples.
- No functional code changes—documentation only.
v0.3.1
Version 0.4.0
- Added direct skill recommendations for common intents (e.g., creating/publishing skills now recommends @kanyun/rush-reskill-usage without searching).
- Extended usage scenarios to include "create, write, or publish a skill to a registry."
- Updated guidance to skip registry searches and proceed directly to install when well-known intents are detected.
- Step-by-step instructions and workflow remain unchanged for all other queries.
v0.3.0
init-commit
元数据
常见问题
@kanyun/rush-find-skills 是什么?
Helps users discover and install agent skills when they ask questions like "how do I do X", "find a skill for X", "is there a skill that can...", or express... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 612 次。
如何安装 @kanyun/rush-find-skills?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install rush-find-skills」即可一键安装,无需额外配置。
@kanyun/rush-find-skills 是免费的吗?
是的,@kanyun/rush-find-skills 完全免费(开源免费),可自由下载、安装和使用。
@kanyun/rush-find-skills 支持哪些平台?
@kanyun/rush-find-skills 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 @kanyun/rush-find-skills?
由 Kris(@krislavten)开发并维护,当前版本 v0.3.2。
推荐 Skills