← 返回 Skills 市场
184
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install skill-index
功能描述
Multi-platform skill ranking and discovery system with 25,000+ skills. Supports Tencent SkillHub, Xfyun SkillHub, and local skills. Use when the user asks ab...
安全使用建议
This skill mostly implements a legitimate ranking/discovery tool, but there are red flags you should address before trusting it:
- Investigate the Tencent API URL (https://lightmake.site/api/skills). Confirm the maintainer and prefer an official endpoint (skillhub.tencent.com or your own trusted registry). Do not rely on an unfamiliar third‑party host unless you trust it.
- The tool will read GITHUB_TOKEN from your environment and can write that token into ~/.openclaw/skill-rank/config.json. Only provide a GitHub token with the minimal scopes needed, or run without a token; consider running the first update in an isolated environment (container/VM) to observe behavior.
- Review the code (scripts/*.py) yourself or run it in a sandbox to see which endpoints it contacts during --update. Look for unexpected outbound hosts beyond the declared sources (xfyun, Tencent, GitHub, raw.githubusercontent).
- If you plan to install/run this skill for real users, replace the default tencent_api_url with an authoritative source and remove or explicitly document any third‑party proxies.
- If you need higher assurance, ask the publisher for a homepage, maintainership information, and an explanation for the lightmake.site endpoint; absence of provenance lowers trust.
If you want, I can point to the exact lines that set the suspicious endpoint and where the GITHUB_TOKEN is read, or produce a diff that hardcodes trusted endpoints before you run it.
功能分析
Type: OpenClaw Skill
Name: skill-index
Version: 1.0.0
The skill bundle provides a meta-utility for ranking and installing other skills, which necessitates high-risk capabilities including network access to external APIs (lightmake.site and xfyun.cn) and shell execution via subprocess. While these functions are clearly aligned with the stated purpose in SKILL.md and scripts/skill-rank.py, the ability to trigger software installations and execute system-level CLI tools (skillhub/clawhub) represents a significant privilege level. No evidence of intentional malice, data exfiltration, or command injection vulnerabilities was found, as the script correctly uses list-based arguments for subprocess calls to prevent shell injection.
能力评估
Purpose & Capability
Name/description match the code: the scripts implement multi-source ranking (Tencent, Xfyun, local). However the default Tencent API URL in the code/config is set to https://lightmake.site/api/skills (a third‑party domain) instead of an official Tencent endpoint; that mismatch is unexplained and disproportionate to the stated purpose.
Instruction Scope
Runtime instructions and scripts read and write data under ~/.openclaw/skill-rank (DB, cache, config) and perform network fetches from configured endpoints. The code also references an environment variable GITHUB_TOKEN for authenticated GitHub API use, but the skill metadata declared no required env vars — SKILL.md mentions a token recommendation but the runtime reads the env var directly. These actions (local file I/O plus network calls to external endpoints) are within the broad scope but include undeclared sensitive inputs and an unexplained external API host.
Install Mechanism
No install spec; the bundle is instruction/code-only and uses only Python standard library modules. There are no downloads, archive extraction, or external installers in the provided files.
Credentials
The code accesses GITHUB_TOKEN from the environment and stores configuration (which may include tokens) under ~/.openclaw/skill-rank/config.json. The skill did not declare required env vars in the manifest. Additionally, the default Tencent API endpoint points at a third‑party domain (lightmake.site) which could be used to collect query patterns or metadata — accepting that endpoint by default increases exposure of queries/skill names.
Persistence & Privilege
The skill persists a local SQLite DB and config under ~/.openclaw/skill-rank and suggests cron integration for periodic updates. It does not request always:true or modify other skills' configs, but it will store data (including any tokens you add) on disk — normal for this class of tool but something to be aware of.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install skill-index - 安装完成后,直接呼叫该 Skill 的名称或使用
/skill-index触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of skill-finder: a multi-platform skill ranking and discovery system supporting 25,000+ skills.
- Integrates Tencent SkillHub, Xfyun SkillHub, and local skills with real-time data.
- Provides commands to list, search, view details, and install skills via CLI.
- Ranks skills using a popularity algorithm based on downloads and community stars.
- Offers real-time installation guidance, dry-run previews, and robust error handling.
- No external dependencies required; uses only Python standard library modules.
元数据
常见问题
技能检索 是什么?
Multi-platform skill ranking and discovery system with 25,000+ skills. Supports Tencent SkillHub, Xfyun SkillHub, and local skills. Use when the user asks ab... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 184 次。
如何安装 技能检索?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install skill-index」即可一键安装,无需额外配置。
技能检索 是免费的吗?
是的,技能检索 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
技能检索 支持哪些平台?
技能检索 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 技能检索?
由 runze123(@runze123)开发并维护,当前版本 v1.0.0。
推荐 Skills