← 返回 Skills 市场

skill-forge

Name: skill-forge
Author: variyaone

作者 Variyaone · GitHub ↗ · v1.3.0 · MIT-0

cross-platform ⚠ suspicious

114

总下载

当前安装

版本数

在 OpenClaw 中安装

/install skill-forge-va

功能描述

A comprehensive tool for creating, documenting, wrapping, and quality-checking professional-grade skills with standardized templates and best practices.

安全使用建议

This skill appears to do what it says (create, document, and package skills), but exercise caution before running it on a machine you care about. Key things to consider: - Review the scripts before running. The CLI uses execSync to run shell commands and package managers. If you plan to run 'install-deps' or similar commands, inspect _meta.json for any untrusted skill directories first. - Command-injection risk: dependency names from metadata are interpolated into shell commands without sanitization. Do not run this tool on data from untrusted sources or unreviewed _meta.json files. - Privilege escalation: installDependency invokes apt/winget/brew and may use sudo. Run in a sandbox or container (or without install commands) if you want to evaluate it safely. - OpenClaw hook is benign (console reminders) but only enable it if you trust the code; it will run periodically in sessions where hooks are enabled. If you want higher confidence: ask the author for an explicit review/fix that escapes/sanitizes dependency names and avoids shell command concatenation (use execFile/spawn with argument arrays and no shell), or run the tool in an isolated VM/container and avoid running the automatic install features.

功能分析

Type: OpenClaw Skill Name: skill-forge-va Version: 1.3.0 The skill bundle provides a CLI tool ('skill-creator.js') for scaffolding, packaging, and managing OpenClaw skills, including features for wrapping existing binaries and installing system dependencies. It is classified as suspicious because it makes extensive use of 'child_process.execSync' to execute system commands (e.g., 'apt-get', 'brew', 'winget', 'xcopy', and PowerShell's 'Compress-Archive') using unsanitized string interpolation of user-provided arguments like 'skillName' and 'dependency'. This creates a high risk of shell injection and Remote Code Execution (RCE) if the AI agent is prompted to use malicious inputs. While the tool includes a 'detect-malware' command and its functionality aligns with its stated purpose, the lack of input validation for powerful system operations is a significant security flaw.

能力评估

✓ Purpose & Capability

The name/description (skill creation, templates, docs, QA) aligns with the included files: a CLI script to init/check/package skills, templates, docs, and an OpenClaw hook. Requests and metadata don't ask for unrelated credentials or resources.

ℹ Instruction Scope

SKILL.md instructs running the CLI (init/check/wrap/install-deps etc.) and wrapping GitHub repos — expected for this tool. The instructions do not ask the agent to read unrelated secrets or system-wide configs. However, the included CLI implementation executes system commands (checks, installs) and would run package-manager commands and arbitrary shell commands derived from skill metadata, which extends its runtime scope to system package management and shell execution.

✓ Install Mechanism

There is no registry install spec (instruction-only at registry level). The package contains code files but does not automatically download remote executables at install time. This is lower risk than an install that pulls a binary from an arbitrary URL.

✓ Credentials

The skill declares no required environment variables, credentials, or config paths. Nothing in the code requires unrelated cloud credentials. That matches the stated purpose.

✓ Persistence & Privilege

always is false and the OpenClaw hook is optional; the hook contains only periodic console reminders and simple handlers. The skill does not request forced persistent inclusion or modify other skills' configs.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install skill-forge-va
安装完成后，直接呼叫该 Skill 的名称或使用 /skill-forge-va 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.3.0

## \[1.3.0] ### Added - **Intelligent Skill Creation**: Automatically searches for existing projects and provides recommendations - **Dependency Management**: Helps resolve missing dependencies for new devices - **Security Scanning**: Detects malicious code during the skill creation process - **Multi-search Engine Integration**: Leverages multiple search engines for comprehensive project research - **Self-improving Agent Architecture**: Continuously learns and improves from usage - **Proactive Agent Patterns**: Anticipates user needs and provides intelligent suggestions - **Browser Automation**: Integrates with OpenClaw for enhanced capabilities ### Changed - Simplified command interface to focus on core skill creation functionality - Integrated search, analyze, and detect-malware features into internal workflow

元数据

Slug skill-forge-va

版本 1.3.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题

skill-forge 是什么？

A comprehensive tool for creating, documenting, wrapping, and quality-checking professional-grade skills with standardized templates and best practices. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 114 次。

如何安装 skill-forge？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install skill-forge-va」即可一键安装，无需额外配置。

skill-forge 是免费的吗？

是的，skill-forge 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

skill-forge 支持哪些平台？

skill-forge 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 skill-forge？

由 Variyaone（@variyaone）开发并维护，当前版本 v1.3.0。