← 返回 Skills 市场
harrylabsj

Skill Auto Evolver

作者 haidong · GitHub ↗ · v0.1.1 · MIT-0
cross-platform ⚠ suspicious
343
总下载
0
收藏
4
当前安装
2
版本数
在 OpenClaw 中安装
/install skill-auto-evolver
功能描述
Analyze and improve OpenClaw agent skills by tracking usage, checking skill health, scanning code quality, and generating actionable improvement suggestions....
安全使用建议
This package appears to implement the advertised analyzer/monitor/reporter functionality, but I found multiple red flags you should consider before installing: - Source verification: the package's source/homepage is 'unknown' and the registry listed it as instruction-only while the bundle contains code. Prefer installing only from a trusted repository (official OpenClaw repo or a verified release). - Local data access: the tool reads all files under the skills directory (default ~/.openclaw/skills) and writes a SQLite DB to ~/.openclaw/skill-evolver/skill_evolver.db. That is expected for this tool, but any sensitive data accidentally stored inside a skill (API keys, tokens, credentials) could be read and stored in the DB. Inspect your skills for secrets before running a bulk analysis. - Code quality bugs: there are clear implementation issues (examples: truncated/buggy return in database.add_feedback returning an undefined variable 'c'; some function calls in CLI/reporter reference methods like get_all_skills or get_feedback_stats that are not visible in the truncated model and may be missing or buggy). These likely lead to runtime errors. Treat the tool as experimental until you run it in a safe environment. - Installation and execution: because the registry lacks an install spec, prefer installing into a virtualenv, container, or isolated machine. Install dependencies (pip install -r requirements.txt) only after reviewing the code locally. - Mitigations: run the CLI with a non-default skills_dir pointing to a copy of the skills you want to test, inspect the generated DB file, and avoid running as root. If you intend to use it widely, request the upstream source, check commit history, and run tests in a sandbox. If you can provide the canonical source URL (GitHub repo or release tarball) and confirm whether all referenced DB and helper methods are implemented, I can raise or lower the risk assessment. In particular, evidence of networking code, undisclosed external endpoints, or hidden credential access would increase the severity.
功能分析
Type: OpenClaw Skill Name: skill-auto-evolver Version: 0.1.1 The skill bundle provides a utility for monitoring and analyzing OpenClaw skills, but it contains a SQL injection vulnerability in 'database/models.py' where the 'days' parameter is inserted into SQLite queries using string formatting rather than parameterization. While the tool's ability to read and analyze all files in the '~/.openclaw/skills' directory is aligned with its stated purpose of code quality analysis, this represents a high-privilege capability. No evidence of intentional malice, data exfiltration, or backdoors was identified.
能力评估
Purpose & Capability
The name/description (analyzer/monitor/reporter for skills) aligns with the included code: it inspects SKILL.md, package.json and Python code, records usage, and generates reports. However the registry/manifest states 'No install spec — instruction-only' while the package includes code, package.json, requirements.txt and a CLI; that mismatch is an inconsistency. The README and SKILL.md suggest installation via 'clawhub install', but no install spec exists in the registry metadata.
Instruction Scope
Runtime instructions and the CLI drive local analysis: reading skill directories (defaults to ~/.openclaw/skills), parsing SKILL.md, package.json and Python source, and writing reports/databases under the user home (~/.openclaw/skill-evolver). Those actions are expected for this tool. Caveat: because it reads arbitrary files under the skills directory, it can access any accidentally stored secrets or configuration present in other skills; the behavior is coherent with the stated purpose but may expose sensitive data if skills store credentials in their repos.
Install Mechanism
There is no install spec in the registry but the bundle includes code, requirements.txt, and package.json. That absence of an explicit install mechanism is inconsistent and increases risk (user guidance suggests 'clawhub install' or pip install -r requirements.txt). The presence of package.json (a Node metadata file) in a Python project is odd but not malicious by itself. No network downloads or external installers are present in the provided code.
Credentials
The skill requests no environment variables or external credentials. It stores data locally under the user's home (~/.openclaw/skill-evolver) and reads from ~/.openclaw/skills by default. No access to unrelated cloud credentials, tokens, or system-wide config paths is requested.
Persistence & Privilege
always is false and the skill does not request elevated privileges; it persists a SQLite DB in the user's home directory (expected for a monitoring/reporting tool). Autonomous invocation is allowed by default (normal), but there is no evidence of modifications to other skills' configs or system-wide changes.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install skill-auto-evolver
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /skill-auto-evolver 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.1
Rename the skill to skill-auto-evolver and align the published SKILL.md, install command, CLI command, and package metadata with the new name.
v0.1.0
Initial release of skill-auto-evolver. - Provides a Python CLI tool for automatic monitoring, analysis, and optimization of Agent Skills. - Tracks usage statistics, evaluates skill health, analyzes code quality, and generates improvement suggestions. - Supports exporting reports in JSON, Markdown, and HTML formats. - Includes a Python API for integration with existing skills. - Offers detailed CLI commands for usage tracking, feedback submission, reporting, and data management. - Stores data locally using SQLite3.
元数据
Slug skill-auto-evolver
版本 0.1.1
许可证 MIT-0
累计安装 4
当前安装数 4
历史版本数 2
常见问题

Skill Auto Evolver 是什么?

Analyze and improve OpenClaw agent skills by tracking usage, checking skill health, scanning code quality, and generating actionable improvement suggestions.... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 343 次。

如何安装 Skill Auto Evolver?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install skill-auto-evolver」即可一键安装,无需额外配置。

Skill Auto Evolver 是免费的吗?

是的,Skill Auto Evolver 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Skill Auto Evolver 支持哪些平台?

Skill Auto Evolver 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Skill Auto Evolver?

由 haidong(@harrylabsj)开发并维护,当前版本 v0.1.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论