← 返回 Skills 市场
zhhkheaven

siyuan-task-skill

作者 zhhkheaven · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
1164
总下载
2
收藏
2
当前安装
1
版本数
在 OpenClaw 中安装
/install siyuan-task-skill
功能描述
Manage tasks in SiYuan Note via its HTTP API. Create, query, update, and organize tasks stored in the 任务清单 document (with a TASK database) and sub-documents for related materials. Use when the user mentions SiYuan, task management, or needs to track work items.
安全使用建议
Key things to consider before installing: - The package contains a pre-filled config.env with a SIYUAN_API_TOKEN and a private/shared-space IP (100.64.0.11). This is sensitive — do not assume the token is harmless. If your runtime can reach that IP, the bundled token may allow access to someone else's SiYuan instance. - The skill metadata claims no required credentials, but the code needs SIYUAN_API_URL and SIYUAN_API_TOKEN and will read/write config.env. That mismatch indicates sloppy packaging or deliberate inclusion of credentials; either way you should not trust embedded tokens. - The code legitimately uses powerful API calls (create/remove docs, modify AV JSON via put_file). Those are expected for managing SiYuan tasks but can also be misused if the token is valid. Ensure the token has minimal privileges or use a dedicated token you control. - Recommended actions: ask the publisher for a source/homepage and a reason the token was bundled; replace the bundled config.env with your own values before running; review the full scripts locally; run the skill in an isolated environment or sandbox; and revoke the bundled token (or block the address) if you have any contact with that SiYuan instance. - If you cannot verify the origin or purpose of the embedded token/URL, avoid enabling autonomous invocation for this skill and prefer a version that requires you to explicitly supply credentials at runtime.
功能分析
Type: OpenClaw Skill Name: siyuan-task-skill Version: 1.0.0 The skill is classified as suspicious due to several high-risk capabilities, even though they are plausibly needed for its stated purpose of managing tasks in SiYuan Note. Key indicators include the broad `Bash(python3:*)` permissions, the `upload_asset` function in `scripts/siyuan_api.py` which can read arbitrary local files and upload them to the SiYuan instance (a form of data exfiltration to the SiYuan application itself), and the `init_database` function in `scripts/task_ops.py` which rewrites the `config.env` file, demonstrating local file modification. Additionally, the `siyuan_api.py` client exposes powerful `sql_query`, `get_file`, and `put_file` methods that allow extensive interaction with the SiYuan internal database and file system, which could be misused if the agent or user input were compromised.
能力评估
Purpose & Capability
The skill's name/description (SiYuan task management) matches its code: it uses the SiYuan HTTP API to create/list/update tasks and related sub-documents. However the registry metadata claims no required environment variables or primary credential while the implementation expects and uses SIYUAN_API_URL, SIYUAN_API_TOKEN, and notebook IDs via a config.env file. Declaring 'no required env vars' is inconsistent with the actual need for an API token and URL.
Instruction Scope
SKILL.md and the scripts instruct the agent to read and modify a local config.env, call many SiYuan API endpoints (create docs, modify blocks, upload assets) and to write SiYuan storage JSON (/data/storage/av/<AV_ID>.json) via the API. Those actions are within the stated purpose (managing the TASK Attribute View and linked sub-documents), but writing AV JSON and using put_file to modify SiYuan storage is powerful — it can change view metadata and bind rows to documents. The instructions do not ask the agent to read unrelated system files or external endpoints beyond the SiYuan instance.
Install Mechanism
There is no install spec (instruction-only runtime plus included Python scripts). No third-party downloads or install hooks are present, which reduces installer risk. The skill does include Python scripts that will be executed by the agent when invoked.
Credentials
The code requires SIYUAN_API_URL and SIYUAN_API_TOKEN (and notebook/AV IDs) but the skill metadata lists no required env vars. Worse, the packaged repo already contains a populated config.env with a SIYUAN_API_TOKEN and internal IP (http://100.64.0.11:52487). Shipping a hardcoded token/URL in the skill bundle is inappropriate: if the token is valid and the runtime can reach that address, the skill could act with that credential. The number and type of credentials are reasonable for the feature, but their presence embedded in the package (not declared) is disproportionate and risky.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent settings. It reads and writes its own config.env file (normal for this tool) and calls SiYuan APIs. Autonomous invocation (disable-model-invocation false) is the platform default and not by itself problematic; combined with the embedded token this increases blast radius but there is no evidence the skill attempts to persist beyond its own files.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install siyuan-task-skill
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /siyuan-task-skill 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
SiYuan Note Task Management skill initial release. - Manage tasks in SiYuan Note via Python scripts and HTTP API. - Auto-creates a task database and sub-documents for each task. - Supports task CRUD (create, query, update, delete), status changes, renaming, and attachment of images. - Configuration via simple `config.env` file; auto-initialization with `init` command. - Command-line tool and Python API for both quick usage and programmatic integration. - Detailed data model with customizable columns and automatic handling of notebook/document structure.
元数据
Slug siyuan-task-skill
版本 1.0.0
许可证
累计安装 2
当前安装数 2
历史版本数 1
常见问题

siyuan-task-skill 是什么?

Manage tasks in SiYuan Note via its HTTP API. Create, query, update, and organize tasks stored in the 任务清单 document (with a TASK database) and sub-documents for related materials. Use when the user mentions SiYuan, task management, or needs to track work items. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1164 次。

如何安装 siyuan-task-skill?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install siyuan-task-skill」即可一键安装,无需额外配置。

siyuan-task-skill 是免费的吗?

是的,siyuan-task-skill 完全免费(开源免费),可自由下载、安装和使用。

siyuan-task-skill 支持哪些平台?

siyuan-task-skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 siyuan-task-skill?

由 zhhkheaven(@zhhkheaven)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论