← 返回 Skills 市场
Skill Discovery Monitor
作者
zhdryanchang
· GitHub ↗
· v1.0.0
283
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install skill-discovery-monitor
功能描述
Monitor and discover popular skills across platforms with daily reports, analytics, usage flowcharts, and multi-channel notifications.
安全使用建议
Do not install or run this skill without addressing the embedded credentials and metadata inconsistencies. Specific steps to consider before proceeding:
- Treat the SkillPay API key found in skill.json/README as compromised; do not reuse it. Ask the publisher to remove any hard-coded keys and publish a version that requires you to set your own SKILLPAY_API_KEY in environment variables.
- Confirm with the maintainer why registry metadata lists no required env vars while SKILL.md and code expect many tokens; prefer a manifest that accurately declares all required secrets.
- If you must run this code for testing, do so in a sandboxed environment (isolated VM/container) with fake/test keys and no access to sensitive accounts.
- Review/rotate any real credentials you might have exposed while evaluating this skill (especially SkillPay or SMTP credentials).
- Audit the SkillPay account (if you control it) for unexpected activity, and ensure payment callbacks are validated (the code uses in-memory subscription storage and marks subscriptions active on POST /payment/callback — consider adding signature verification).
- If you don't trust the author or cannot get the hard-coded key removed, avoid installing this skill because the embedded key increases risk of payment/account misuse.
功能分析
Type: OpenClaw Skill
Name: skill-discovery-monitor
Version: 1.0.0
The skill bundle is a functional multi-platform monitoring tool designed to discover trending skills and packages from Clawhub, GitHub, and npm. The code logic is transparent, well-documented, and aligns perfectly with its stated purpose of providing analytics and notifications (Telegram, Discord, Email) for developers. While it contains a hardcoded API key in 'skill.json' and 'README.md' (a credential exposure vulnerability) and some unused dependencies like 'cheerio', these appear to be artifacts of template-based development rather than intentional malice. No evidence of data exfiltration, unauthorized execution, or prompt injection was found.
能力评估
Purpose & Capability
The name/description match the code: scrapers for Clawhub/GitHub/npm, flowchart generation, scheduled reports, and multi-channel notifications. However, registry metadata claims no required env vars or credentials while both SKILL.md and the code actually require multiple credentials (SKILLPAY_API_KEY, TELEGRAM_BOT_TOKEN, DISCORD_WEBHOOK_URL, EMAIL credentials, optional CLAWHUB/GITHUB tokens). That mismatch between declared registry metadata and the skill's own docs/code is inconsistent and should be questioned.
Instruction Scope
SKILL.md describes running an Express API, endpoints (/discover, /notify, /subscribe, etc.), and environment variables needed for operation — that matches the code. The runtime instructions do not request unrelated system files or weird data collection beyond userId/transactionId/subscription info. The main scope creep risk is the payment flow (SkillPay) which will accept callbacks and mark subscriptions active; that behavior is described in code and docs.
Install Mechanism
There is no external download/install script; typical Node.js package.json and dependencies are used. Dependencies are standard for scraping, HTTP serving, notifications, and scheduling. No high-risk external URLs or archive downloads are present in the manifest.
Credentials
The code and SKILL.md require multiple credentials appropriate for the described features (telegram/discord/email tokens, optional platform tokens, and a SkillPay API key for payments), but the registry metadata declared none — an inconsistency. Critically, the repository/skill.json and README embed a concrete SkillPay API key value (apiKey: sk_e390b52c...), which appears to be a secret included in published files. Hard-coded API credentials in the bundle are a major concern: anyone with that key could call SkillPay endpoints as the skill, manipulate payment verification, or view/modify payment resources tied to that key. This is disproportionate and dangerous if left as-is.
Persistence & Privilege
The skill does not request always:true or modify other skills; it runs an HTTP server and schedules tasks in-process. Autonomous invocation is allowed (default) — combined with the embedded payment key and network access this increases blast radius, but autonomous invocation itself is not unusual.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install skill-discovery-monitor - 安装完成后,直接呼叫该 Skill 的名称或使用
/skill-discovery-monitor触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: Discover trending skills across Clawhub, GitHub Actions, and npm. Features include multi-platform monitoring, usage flowcharts, feature summaries, and scheduled daily reports with SkillPay integration.
元数据
常见问题
Skill Discovery Monitor 是什么?
Monitor and discover popular skills across platforms with daily reports, analytics, usage flowcharts, and multi-channel notifications. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 283 次。
如何安装 Skill Discovery Monitor?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install skill-discovery-monitor」即可一键安装,无需额外配置。
Skill Discovery Monitor 是免费的吗?
是的,Skill Discovery Monitor 完全免费(开源免费),可自由下载、安装和使用。
Skill Discovery Monitor 支持哪些平台?
Skill Discovery Monitor 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Skill Discovery Monitor?
由 zhdryanchang(@zhdryanchang)开发并维护,当前版本 v1.0.0。
推荐 Skills