← 返回 Skills 市场
847
总下载
0
收藏
6
当前安装
2
版本数
在 OpenClaw 中安装
/install skill-forge
功能描述
AI 技能自动发现、评估、集成、验证、宣传闭环系统 — 跨生态技能市场引擎
安全使用建议
This skill is 'suspicious' because its runtime steps do things (clone repos, run scans, publish to X/ClawHub) that are not reflected in the metadata. Before installing or invoking it: 1) Do not run its pipeline on your primary machine — use an isolated sandbox or VM. 2) Ask the author for a full manifest of required binaries and environment variables (pnpm/node/git/YARA, TWITTER_BEARER_TOKEN, ClawHub credentials, etc.) and why each is needed. 3) Inspect the actual implementation code (the GitHub repo link is provided) — review scripts that the pipeline executes, any auto-publish logic, and what data is uploaded to external services. 4) Limit the credentials you provide to least privilege (e.g., scoped tokens) and prefer time-limited/test accounts. 5) If you must run it, do so with network controls and file-system snapshots so you can undo changes and monitor outbound activity. 6) If the repo or code is not available for review or the author cannot justify the undeclared credentials/tools, avoid granting sensitive tokens or running the pipeline.
功能分析
Type: OpenClaw Skill
Name: skill-forge
Version: 0.3.0
The skill is classified as suspicious due to its broad and high-risk capabilities, which include requiring access to sensitive credentials (`TWITTER_BEARER_TOKEN` in `SKILL.md`), performing extensive network interactions with numerous external services (GitHub, X/Twitter, HuggingFace, etc.), cloning and potentially processing untrusted code from external repositories, probing local system runtimes, and interacting with social media platforms (posting tweets). While these actions are described as part of the skill's stated purpose (AI skill discovery and promotion), they introduce significant security vulnerabilities and a high potential for abuse through prompt injection or supply chain attacks, even without explicit malicious instructions in the provided files.
能力评估
Purpose & Capability
The SKILL.md describes a complex pipeline (scanning GitHub/HuggingFace/Reddit/X/ProductHunt, cloning repos, running YARA scans, detecting local runtimes, auto-integrating and publishing skills, and auto-posting to X). The skill metadata, however, declares no required binaries, no environment variables, and no install steps. That is internally inconsistent: the pipeline clearly needs tools (pnpm/node/git/YARA), network access, and credentials for publishing (X/Twitter, ClawHub), none of which are declared.
Instruction Scope
The instructions tell an agent to run a multi-stage pipeline (pnpm pipeline) that will read/write /Volumes/data/openclaw/evolution-engine, clone external repositories, run compatibility and security scans, produce skill.json/SKILL.md and auto-publish (clawhub publish, announce to X). This scope includes broad filesystem access, network crawling, code execution, and external publishing — far beyond a simple information-only skill and not limited by metadata or guardrails in the SKILL.md.
Install Mechanism
No install spec (instruction-only), which lowers direct install risk because nothing is automatically written by the registry. However, the runtime assumes pnpm/node, git, YARA and other tooling are present and will execute pipelines that could fetch and run arbitrary code. The lack of declared required binaries is a mismatch (should list pnpm/node/git/YARA at minimum).
Credentials
SKILL.md names dependent skills that require credentials (e.g., x-twitter needs TWITTER_BEARER_TOKEN; social-sentiment needs an Xpoz account) and implies publishing actions (ClawHub, X). Yet the skill metadata lists no required environment variables or primary credential. This discrepancy means the skill will expect secrets/credentials at runtime without declaring them, which is a proportionality and transparency issue.
Persistence & Privilege
always is false (normal) and autonomous invocation is allowed (platform default). Autonomous invocation combined with the pipeline's ability to publish externally (post tweets, publish skills) increases potential impact if misconfigured, but autonomy alone is not flagged here. There's no evidence the skill requests permanent system-wide config changes, but it does operate on host filesystem paths and may push content externally.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install skill-forge - 安装完成后,直接呼叫该 Skill 的名称或使用
/skill-forge触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.3.0
v0.3.0: Added announce module (auto tweet generation + X sentiment monitoring), integrated x-twitter and social-sentiment skills, 6-stage pipeline
v0.2.0
v0.2.0: Real runtime detection, needs-driven search, ClawHub-standard output, 9+ data sources
元数据
常见问题
Skill Forge 是什么?
AI 技能自动发现、评估、集成、验证、宣传闭环系统 — 跨生态技能市场引擎. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 847 次。
如何安装 Skill Forge?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install skill-forge」即可一键安装,无需额外配置。
Skill Forge 是免费的吗?
是的,Skill Forge 完全免费(开源免费),可自由下载、安装和使用。
Skill Forge 支持哪些平台?
Skill Forge 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Skill Forge?
由 stakeswky(@stakeswky)开发并维护,当前版本 v0.3.0。
推荐 Skills