← 返回 Skills 市场
85
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install skill-onboarder
功能描述
Auto-wires new skills into core system. On skill install detected, reads SKILL.md/AGENT.md/SOUL.md/hooks and injects into soul/memory/agent files.
安全使用建议
This skill does what it says — it auto-wires other skills — but it gains high-impact, persistent ability to change core agent/soul configuration. Before installing: 1) Prefer not to enable always:true; require manual confirmation for onboarding actions. 2) Restrict this skill to administrators and run it in a sandbox first. 3) Audit its templates and the exact write paths it will modify; ensure the platform logs and file-change audit are enabled. 4) Require that incoming skills be validated (only trusted sources) before the onboarder processes them, because a malicious skill could craft SKILL.md/AGENT.md/hooks to create persistent triggers, hard rules, or pre-response hooks that alter behavior or exfiltrate data. 5) If you must use it, remove or disable 'Always Fires' / HARD-rule auto-enabling by default and require explicit user consent per injected rule.
功能分析
Type: OpenClaw Skill
Name: skill-onboarder
Version: 1.1.0
The skill-onboarder is designed to automate the integration of other skills by reading their configuration files and injecting instructions directly into core system files such as 'soul/master.md' and 'agent/skills-active.md'. While the stated purpose is administrative automation, the ability to modify the agent's core logic and rules based on external, potentially untrusted skill files represents a significant security risk for prompt injection and persistence. It lacks explicit validation or sanitization of the content being injected, effectively acting as a mechanism for privilege escalation within the OpenClaw environment.
能力评估
Purpose & Capability
The name/description (auto-wire new skills) align with the instructions: reading SKILL.md/AGENT.md/SOUL.md/hooks and writing into soul/master.md, agent/skills-active.md, and workspace/_index.md. That functionality is coherent with an onboarder. However, the skill claims no required config paths or elevated privileges while its runtime instructions explicitly perform writes to core agent/soul/workspace paths (a mismatch worth noting).
Instruction Scope
The SKILL.md and templates will cause the agent to: scan each new skill's files, derive triggers and rules, and inject entries that can mark other skills as 'Always Fires', add HARD enforcement rules (which can block responses until satisfied), and add keyword triggers to scan every input. Those operations change runtime behavior platform-wide and give the onboarder the ability to create persistent triggers and enforcement rules from arbitrary skill metadata; this is broad scope and high-impact.
Install Mechanism
No install spec and no code files beyond markdown/templates — the skill is instruction-only, so there is no arbitrary binary download or archive extraction. Installation risk from downloaded code is low.
Credentials
The skill declares no required env vars or config paths, yet the instructions write to core files and create paths (soul/master.md, agent/skills-active.md, workspace/_index.md). The metadata omits the fact that the skill expects write access to these central files. That mismatch reduces transparency and is disproportionate to the lack of declared privileges.
Persistence & Privilege
Flagged 'always: true', meaning it will be force-included in every agent run. Combined with its ability to inject 'always fires' markers and HARD rules into agent config, this creates a persistent, high-privilege configuration pathway that could be abused to escalate influence or ensure malicious rules persist across runs. (Autonomous invocation itself is normal, but always:true is a significant privilege.)
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install skill-onboarder - 安装完成后,直接呼叫该 Skill 的名称或使用
/skill-onboarder触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
better tiggers
v1.0.0
Initial release: one-time skill installer — reads new skill files, injects into soul/agent/memory/workspace index, creates missing paths, idempotent
元数据
常见问题
Skill Onboarder 是什么?
Auto-wires new skills into core system. On skill install detected, reads SKILL.md/AGENT.md/SOUL.md/hooks and injects into soul/memory/agent files. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 85 次。
如何安装 Skill Onboarder?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install skill-onboarder」即可一键安装,无需额外配置。
Skill Onboarder 是免费的吗?
是的,Skill Onboarder 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Skill Onboarder 支持哪些平台?
Skill Onboarder 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Skill Onboarder?
由 cyber-bye(@cyber-bye)开发并维护,当前版本 v1.1.0。
推荐 Skills