← 返回 Skills 市场
370
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install skill-cross-agent
功能描述
跨机器Agent协作 - 通过SSH连接局域网内其他OpenClaw实例,实现多机任务分发
安全使用建议
This skill behaves like an SSH-based remote control tool and is coherent with the description, but it has multiple risky practices you should consider before installing:
- Credentials: The skill stores default_pass in plaintext under ~/.config/openclaw/cross-agent.conf (it appends values). Avoid saving passwords; prefer SSH key authentication instead.
- sshpass and process exposure: The scripts use sshpass and pass passwords on the command line, which can be visible to local users via process listings—only use in trusted, isolated environments.
- Host key checking disabled: All SSH calls set StrictHostKeyChecking=no and UserKnownHostsFile=/dev/null, disabling host-key verification and increasing MITM risk on untrusted networks.
- Network scanning and remote exec: The skill scans subnets and can run arbitrary commands on remote machines; this can be intrusive and should only be used on networks and hosts you control and trust.
- Silent metadata mismatch: Metadata declares no required config paths, but the skill reads/writes ~/.config/openclaw/cross-agent.conf—this is an incoherence to be aware of.
- Installer prompts for sudo: The wizard/install may run apt install under sudo to add dependencies—review before consenting.
Actions you can take:
- Inspect the included scripts locally before running; consider removing or altering insecure behaviors (remove sshpass usage, enable host-key checking, stop storing plaintext passwords).
- Use SSH key-based auth and remove config storage of passwords; if you must store secrets, use a secure credential store (not plain files).
- Run initial tests in an isolated network or VM.
- If you need stronger assurance, ask the publisher for provenance (source repo, signed releases) or request a version that uses key-based auth and does not disable host-key verification.
Given the combination of insecure credential handling and the mismatch between metadata and file behavior, proceed only if you accept these risks and have verified the code.
功能分析
Type: OpenClaw Skill
Name: skill-cross-agent
Version: 1.0.0
The skill bundle provides remote command execution and file transfer capabilities across a local network via SSH. It utilizes 'sshpass' for automated authentication, which involves storing credentials in plain text in '~/.config/openclaw/cross-agent.conf' and disabling SSH host key verification ('StrictHostKeyChecking=no') in scripts like 'exec.sh', 'get.sh', and 'put.sh'. While these features align with the stated goal of cross-agent collaboration, they introduce significant security vulnerabilities including credential exposure and man-in-the-middle risks, making the bundle high-risk despite no clear evidence of intentional malice.
能力评估
Purpose & Capability
Name, description and declared required binaries (sshpass, ssh, scp, ping, nc) align with the implemented features (scan, test, send, get, put, exec). The scripts implement exactly the advertised SSH-based cross-agent behavior.
Instruction Scope
Runtime instructions and scripts perform network scanning, arbitrary remote command execution, file transfer, and prompt to install system packages via sudo. The wizard will auto-install sshpass (sudo apt) and the scripts disable SSH host-key checking (StrictHostKeyChecking=no) which increases MITM risk. The skill also writes plaintext credentials to a local config file and exposes passwords on the command line via sshpass—these are beyond a minimal, safe instruction scope.
Install Mechanism
No remote downloads or archive extraction; an included install.sh copies files into the user's ~/.openclaw/skills and suggests installing dependencies via the system package manager. Installing dependencies requires sudo (prompted to user).
Credentials
The skill requests no environment variables but reads/writes ~/.config/openclaw/cross-agent.conf (not declared in metadata) and stores default_pass in plaintext. It relies on sshpass (which exposes passwords to process listings) and therefore requires sensitive credentials but does not declare or warn about the config path in the metadata—disproportionate to the claimed 'no required config' metadata.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It persists a user-scoped config file and suggests aliases/.bashrc entries but does not auto-enable system-wide privileges. The wizard/install may run sudo to install packages if the user agrees.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install skill-cross-agent - 安装完成后,直接呼叫该 Skill 的名称或使用
/skill-cross-agent触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of cross-agent for OpenClaw, enabling cross-machine task collaboration via SSH.
- Scan and discover online devices in the local network.
- Test SSH connectivity and manage sessions on target machines.
- Send tasks, execute commands, and transfer files (get/put) between agents.
- Supports interactive setup and configuration of default connection parameters.
- Requires sshpass, ssh, scp, ping, and nc on Linux.
元数据
常见问题
skill-cross-agent-v1.0.0.tar 是什么?
跨机器Agent协作 - 通过SSH连接局域网内其他OpenClaw实例,实现多机任务分发. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 370 次。
如何安装 skill-cross-agent-v1.0.0.tar?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install skill-cross-agent」即可一键安装,无需额外配置。
skill-cross-agent-v1.0.0.tar 是免费的吗?
是的,skill-cross-agent-v1.0.0.tar 完全免费(开源免费),可自由下载、安装和使用。
skill-cross-agent-v1.0.0.tar 支持哪些平台?
skill-cross-agent-v1.0.0.tar 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 skill-cross-agent-v1.0.0.tar?
由 YuleleYO(@yuleleyo)开发并维护,当前版本 v1.0.0。
推荐 Skills