← 返回 Skills 市场
sucriss

skill-isolator

作者 Criss_Su · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
406
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install skill-isolator
功能描述
Project-based skill isolation and management. Enables different projects to use different skill sets with automatic loading based on current working director...
安全使用建议
What to check before using this skill: - The sync script runs 'clawhub install <skill>' via execSync. Make sure you have the 'clawhub' CLI installed and trust it before running the sync script; the skill does not declare this as a required binary in its metadata. - The scripts will read and write files under your home directory (e.g., ~/.openclaw/cache, ~/.openclaw/logs, ~/.openclaw/skills). If you prefer not to have those paths written, review/modify the code first. - Example config mentions GitHub token (GITHUB_TOKEN) for git sources; if you later enable git/url sources you may need to expose credentials. The current sync script reports git/url as 'not yet implemented', but the validate/example files reference auth, so be cautious if you edit configs to include credentials. - SKILL.md says skills will 'auto-sync on project enter' — the package provides flags and config options but no background watcher; you'll need to wire the sync script into your shell, editor, or agent to get automatic behavior. - Recommended actions: inspect the scripts locally (they are small and readable), run validate-config.js on any config you create, and run sync-project-skills.js in a test directory first to observe what it writes and what external commands it invokes. If you do not want the 'clawhub' dependency or any network installs, avoid running the sync script or remove/modify the installFromClawhub function.
功能分析
Type: OpenClaw Skill Name: skill-isolator Version: 1.0.0 The skill bundle provides a utility for project-based skill isolation but contains a shell injection vulnerability. In `scripts/sync-project-skills.js`, the `installFromClawhub` function uses `execSync` to execute shell commands constructed directly from the `skillName` and `version` fields found in the `.openclaw-skills.json` configuration file without any sanitization. A maliciously crafted configuration file could exploit this to run arbitrary system commands. While the overall logic appears aligned with its stated purpose and lacks evidence of intentional malice or data exfiltration, the high-risk implementation of system calls qualifies it as suspicious.
能力评估
Purpose & Capability
The skill's name/description align with the included scripts (init, validate, sync) and the file layout. However, the runtime code invokes an external 'clawhub' CLI to install skills even though the skill metadata does not declare any required binaries; the SKILL.md and examples also reference git/url sources and optional auth (GITHUB_TOKEN) even though git/url support is 'not yet implemented' in the sync script. These are inconsistencies between claimed capabilities and actual implementation or declared requirements.
Instruction Scope
SKILL.md instructs the agent/user to create project config files and run the provided scripts. The scripts scan up to 10 parent directories for .openclaw-skills.json, read/write cache and log files under ~/.openclaw (or APPDATA path), and call external installers. The SKILL.md promises 'automatic' loading on project enter; the repo only provides scripts and configuration options for autoSync, but no background hook/daemon — auto-sync would need a shell or agent integration to run the sync script on directory change. The scripts access typical environment variables (HOME, APPDATA, USERPROFILE) and filesystem paths which is expected for this functionality.
Install Mechanism
There is no remote install specification (no downloads or extract steps). All code is included in the package and the sync script runs local actions and calls the external 'clawhub' command. This is low-risk from an installation artifact perspective, but runtime exec of external commands is present.
Credentials
The package declares no required environment variables, but the scripts read standard environment variables (HOME, APPDATA, USERPROFILE) to determine cache/skill/log locations — this is reasonable. Example configs and validate logic reference an 'auth' object that can point to an env var (e.g., GITHUB_TOKEN) for git sources; the code currently logs that git/url support is unimplemented but the presence of that example means a user could add auth/env-based settings later. The inconsistency is that the skill does not explicitly state it may use credentials for git or other sources.
Persistence & Privilege
The skill does not request always:true or modify other skills' configs. It writes cache and logs to ~/.openclaw and installs skills into ~/.openclaw/skills — that is expected for its purpose. Autonomous invocation by the model is enabled by default on the platform, but the skill itself is implemented as CLI scripts; there's no evidence it autonomously registers a persistent background service. The SKILL.md's 'auto-sync on project enter' is a configuration feature, not an implemented background watcher in the code.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install skill-isolator
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /skill-isolator 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release providing project-based skill isolation, multi-source support, and automated management. - Enables per-project skill isolation and automatic loading based on current working directory. - Supports multiple skill sources (clawhub, local, git, url) with priority-based resolution and version locking. - Provides scripts for skill synchronization, configuration validation, and interactive setup. - Integrates caching, conflict resolution, and auto-sync on project entry or missing skills. - Offers troubleshooting guidance and best practices for project and team usage.
元数据
Slug skill-isolator
版本 1.0.0
许可证 MIT-0
累计安装 1
当前安装数 1
历史版本数 1
常见问题

skill-isolator 是什么?

Project-based skill isolation and management. Enables different projects to use different skill sets with automatic loading based on current working director... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 406 次。

如何安装 skill-isolator?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install skill-isolator」即可一键安装,无需额外配置。

skill-isolator 是免费的吗?

是的,skill-isolator 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

skill-isolator 支持哪些平台?

skill-isolator 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 skill-isolator?

由 Criss_Su(@sucriss)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论