← 返回 Skills 市场
244
总下载
2
收藏
1
当前安装
2
版本数
在 OpenClaw 中安装
/install skill-chain
功能描述
Supply chain intelligence for OpenClaw skills. Use when analyzing the local skill ecosystem, understanding tool and package dependencies, discovering skill c...
安全使用建议
This skill appears to do what it says: it reads local skill directories and manifests, builds an internal graph, and runs offline analyses; it can optionally call clawhub to fetch public metadata. Before installing/running: 1) Review which directories it will scan — by default it includes ~/.openclaw/skills, extensions, and /Applications/.../skills plus global npm locations — and avoid running a full scan if those paths contain sensitive or untrusted files. 2) If you want strict offline operation, skip or avoid the 'ingest enrich' step (the script will skip enrichment when network is unavailable). 3) Inspect memory/skillchain/graph.jsonl after runs to confirm what it recorded. 4) Note the script may call npm (via subprocess) to locate global modules; ensure you trust the runtime environment. If you need higher assurance, run the included scripts in a sandboxed environment or with --dirs limited to folders you control. If you can, review the truncated portions of ingest.py (online/enrich behavior) to confirm it only queries clawhub for public metadata and does not upload local skill source code — if enrichment were to upload local content, reassess as suspicious.
功能分析
Type: OpenClaw Skill
Name: skill-chain
Version: 1.0.1
The skill-chain bundle provides supply chain intelligence and ecosystem analysis for OpenClaw skills. It operates by scanning local directories for skill metadata, parsing dependency files (requirements.txt, package.json, pyproject.toml), and performing static analysis on Python scripts using the AST module to identify third-party imports. The scripts (scripts/ingest.py and scripts/analyze.py) implement legitimate auditing features such as dependency tree generation, cycle detection, and health scoring. While it performs network requests to clawhub.ai for metadata enrichment and executes a subprocess call to locate the global npm root, these actions are well-documented and consistent with its stated purpose of ecosystem analysis.
能力评估
Purpose & Capability
The name/description (supply-chain analysis of OpenClaw skills) matches what the code and SKILL.md do: discover local skill dirs, parse SKILL.md/requirements/package.json/py files, build a graph, and run analyses. Required resources (reading skill files, scanning default skill locations, parsing manifests) are expected for this purpose.
Instruction Scope
The SKILL.md and scripts instruct the agent to read many local skill folders (default: ~/.openclaw/skills, extensions, /Applications/.../skills, plus project-local and global npm roots) and to parse SKILL.md, requirements.txt, package.json, py scripts, and _meta.json. This is within scope for an ecosystem analyzer, but it does mean the skill will read arbitrary files under those directories. It also documents an optional 'enrich' step that reaches out to the clawhub API to fetch stars/downloads/moderation data; the docs state enrichment is skipped when offline. There is no instruction to exfiltrate full local skill contents to remote services in the provided files.
Install Mechanism
No install spec — instruction-only skill with Python scripts included. Nothing is downloaded or written outside of its own graph storage path; contents are written to memory/skillchain/graph.jsonl under the skill folder. No remote install URLs or archive extraction are present.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. The code does use subprocess and urllib.request to discover global npm roots and call the optional clawhub API, which is consistent with the described enrichment feature. No unrelated secret access is requested.
Persistence & Privilege
always is false and model invocation is normal. The skill writes its own graph file (memory/skillchain/graph.jsonl). It does not request persistent system-wide privileges or modify other skills' configuration in the visible code. No evidence it attempts to elevate its presence beyond its own storage.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install skill-chain - 安装完成后,直接呼叫该 Skill 的名称或使用
/skill-chain触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Security
Fix TLS verification: Removed explicit disabling of SSL certificate verification (ssl.CERT_NONE, check_hostname = False) in _clawhub_get(). All requests to clawhub.ai now use the default SSL context, preventing man-in-the-middle exposure of credentials or API traffic.
Remove credential dependency: Online enrichment no longer reads ~/.codex/auth.json. The clawhub API is public and does not require authentication; all token and Codex-related auth logic has been removed. No local credential files are read.
Changes
Online enrichment: enrich works without any token or config. No CLAWHUB_TOKEN or auth file needed.
Code cleanup: Removed load_auth_token(), unused import os, and the Authorization: Bearer header from clawhub requests. Docstring usage example updated.
Compatibility
Breaking: If you previously relied on ~/.codex/auth.json or CLAWHUB_TOKEN for enrich, that is no longer used or supported—enrich is now unauthenticated only. Behavior is otherwise unchanged; scan, enrich, analyze-all, and all analyze subcommands work as before.
v1.0.0
v1.0.0
Major upgrade with supply chain intelligence, health scoring, and ecosystem insights.
- New: `analyze-all` one-shot command (reset + scan + health + overlaps + report)
- New: `analyze health` — completeness scoring (0-100) for each skill with specific issues
- New: `analyze overlaps` — auto-detect functionally overlapping or complementary skill pairs
- New: `analyze report` now includes a Key Insights section with actionable recommendations
- Improved: supply-chain tree now shows `invoked_via` (allowed-tools) and `requires_bin` (metadata.requires.bins)
- Improved: package detection now covers pyproject.toml (PEP 621/Poetry), Pipfile, peerDependencies, and AST import scanning
- Improved: tool detection expanded to 15+ CLI/runtime tools (git, docker, redis, kubectl, etc.)
- Improved: scan paths now include project-local `./skills` and `$(npm root -g)/openclaw/skills`
- Fixed: PermissionError no longer crashes scan when encountering restricted directories
元数据
常见问题
SkillChain 是什么?
Supply chain intelligence for OpenClaw skills. Use when analyzing the local skill ecosystem, understanding tool and package dependencies, discovering skill c... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 244 次。
如何安装 SkillChain?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install skill-chain」即可一键安装,无需额外配置。
SkillChain 是免费的吗?
是的,SkillChain 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
SkillChain 支持哪些平台?
SkillChain 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 SkillChain?
由 hyx-cn(@hyx-cn)开发并维护,当前版本 v1.0.1。
推荐 Skills