← 返回 Skills 市场
Skill
作者
yx2601816404-sys
· GitHub ↗
· v2.3.1
925
总下载
0
收藏
1
当前安装
15
版本数
在 OpenClaw 中安装
/install skill-store
功能描述
Smart skill installation advisor for ClawHub. Searches for skills matching your needs, evaluates candidates on security (via skill-shield), code quality, and...
安全使用建议
This skill is an advisor that will use your clawhub CLI to install and inspect other skills and will run a local skill-shield scanner. That is consistent with its purpose but: (1) clarify the metadata mismatch — it DOES need clawhub and a scanner even though metadata claims 'zero external dependencies'; (2) only run it in a disposable or isolated workspace (use --workdir pointing at a temp directory or container) because 'clawhub install' can run package install hooks from third-party skills; (3) verify the scanner path (SKILL_SHIELD_SCANNER) and review the generated report before allowing any recommended installation; (4) if you need higher assurance, run the tool with --top 1 and inspect the candidate skill contents manually before letting it install or recommend anything; (5) if the author can explain/correct the contradictory metadata (required binaries/env vs declared none), that will raise confidence.
功能分析
Type: OpenClaw Skill
Name: skill-store
Version: 2.3.1
The 'skill-store' skill, designed for security evaluation, contains critical vulnerabilities. The `scripts/evaluate.py` script allows arbitrary code execution via the `--scanner` argument and arbitrary file write/deletion via the `--workdir` argument, due to insufficient input validation when handling user-provided paths. Additionally, the `webapp/index.html` is vulnerable to Cross-Site Scripting (XSS) as it directly interpolates skill names and descriptions from `skills.json` into the DOM without proper sanitization. While these flaws could enable severe attacks, there is no clear evidence of intentional malicious behavior by the 'skill-store' itself; rather, they are vulnerabilities in its implementation.
能力评估
Purpose & Capability
SKILL.md and scripts/evaluate.py implement a ClawHub search/install + skill-shield scan + quality scoring pipeline — that matches the name/description. However the top-level metadata claims 'zero external dependencies' and lists no required binaries/env, while the README and script clearly require the 'clawhub' CLI and access to a skill-shield scanner (or SKILL_SHIELD_SCANNER env). This mismatch is incoherent and should be clarified.
Instruction Scope
The runtime instructions and evaluate.py stay within the advertised scope: they search ClawHub, install candidate skills into a working directory, run a security scanner, inspect files to measure quality, and produce reports. That said, installing arbitrary skills (even into a temporary workdir) and running their scanners means you will execute code from untrusted packages (via the clawhub install process and any install hooks those skills contain). That behavior is expected for this tool but is an important security consideration.
Install Mechanism
There is no install spec (instruction-only). The package includes a Python script you run manually; nothing in the skill metadata writes installers or downloads code on install time. The script itself will download/install candidate skills using the external 'clawhub' tool when you run it — that is expected for the stated purpose.
Credentials
The skill metadata declares no required env vars, but evaluate.py checks SKILL_SHIELD_SCANNER and the SKILL.md requires an authenticated clawhub CLI and access to skill-shield's scan.py. The script also probes user home paths for a local scanner copy. These environment/credential requirements are reasonable for the tool's function, but the metadata omission is misleading and should be corrected.
Persistence & Privilege
The skill is not marked always:true and does not attempt to modify other skills or global agent configuration. It writes to and cleans up a working directory and can uninstall candidate dirs. No persistent privileged presence is requested by the skill itself.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install skill-store - 安装完成后,直接呼叫该 Skill 的名称或使用
/skill-store触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.3.1
849 skill scan data (A=157, B=83, C=59, D=50, F=35, 465 doc-only). 864 skills installed.
v2.3.0
836 skill scan data (A=156, B=78, C=59, D=50, F=35, 458 doc-only). 851 skills installed.
v2.2.1
694 skill scan data refresh (196 safe, 120 risky, 378 doc-only). 703 skills installed.
v2.2.0
694 skill scan data (135 A, 61 B, 47 C, 42 D, 31 F, 378 doc-only). Up from 393 in v2.1.0.
v2.1.0
v2.1.0: 393 skills scanned. 121 safe, 62 risky, 210 doc-only. 85 A-rated.
v2.0.0
v2.0.0: 374 skills scanned. 116 safe, 61 risky, 197 doc-only. 81 A-rated skills.
v1.9.0
v1.9.0: 358 skills scanned (was 336). 115 safe, 60 risky, 183 doc-only. 80 A-rated skills.
v1.8.0
v1.8.0: 336 skills scanned (was 307). 109 safe, 52 risky, 175 doc-only.
v1.7.0
v1.7.0: 307 skills scanned (was 258). 94 safe, 50 risky, 163 doc-only. 300+ milestone.
v1.6.0
v1.6.0: 258 skills scanned (was 201). 77 safe, 43 risky, 138 doc-only.
v1.5.0
v1.5.0: 201 skills scanned (was 181). 64 safe, 35 risky, 102 doc-only. Scanned with skill-shield v0.6.1.
v1.4.0
Updated scan data to 181 skills
v1.3.0
v1.3.0: Updated scan data with skill-shield v0.4.0 (142 skills). A-rated: 22→42.
v1.2.0
v1.2.0: Bundle store-app Web UI with pre-scanned data for 108 skills. Updated skill-shield integration to v0.3.1 dual rating.
v1.1.0
v1.1.0: Smart skill installation advisor. Search, evaluate, compare, recommend. Uses skill-shield dual rating.
元数据
常见问题
Skill 是什么?
Smart skill installation advisor for ClawHub. Searches for skills matching your needs, evaluates candidates on security (via skill-shield), code quality, and... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 925 次。
如何安装 Skill?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install skill-store」即可一键安装,无需额外配置。
Skill 是免费的吗?
是的,Skill 完全免费(开源免费),可自由下载、安装和使用。
Skill 支持哪些平台?
Skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Skill?
由 yx2601816404-sys(@yx2601816404-sys)开发并维护,当前版本 v2.3.1。
推荐 Skills