← 返回 Skills 市场
SkillForge
作者
shadoprizm
· GitHub ↗
· v1.0.4
· MIT-0
94
总下载
0
收藏
0
当前安装
5
版本数
在 OpenClaw 中安装
/install skillforge-cli
功能描述
Generate and audit OpenClaw agent skills from natural language. Use when the operator asks to create a skill, build a skill, generate a skill, audit a skill,...
安全使用建议
Before installing or running this skill, verify the upstream npm package and GitHub repository (https://github.com/shadoprizm/skillforge) yourself: inspect the package source, release history, and maintainer. Do not run --pro or audit commands against directories containing secrets, private keys, or production API keys — the tool will send skill contents to whichever AI provider you configure. Consider using an ephemeral/test API key for Pro mode, and confirm how keys are stored (the SKILL.md/skill.json indicate keys are saved under ~/.skillforge via 'conf', which may be plaintext). Also note the registry metadata omission: SKILL.md expects npm and clawhub CLI presence even though 'Required binaries' is empty; ensure you have and trust those tools before proceeding.
功能分析
Type: OpenClaw Skill
Name: skillforge-cli
Version: 1.0.4
The skill serves as a wrapper for the `@shadoprizm/skillforge` CLI, which requires global npm installation and the management of several sensitive AI API keys (OpenAI, OpenRouter, etc.). It performs high-risk operations such as reading local file contents to send to external AI providers for auditing and publishing skills to the ClawHub registry (skill.json, SKILL.md). While these capabilities are aligned with its stated purpose as a developer utility and include safety warnings, the combination of broad file system access, network transmission of local data, and global package dependencies represents a significant security surface.
能力评估
Purpose & Capability
The name/description (generate & audit skills) align with the instructions in SKILL.md. However, SKILL.md expects npm and the ClawHub CLI (clawhub login/publish) to be available, while the registry metadata says 'Required binaries: none'—this is an inconsistency. skill.json points to a GitHub repo as the source, but the registry-level 'Homepage: none' contradicts that.
Instruction Scope
The runtime instructions stay within the stated purpose: run the SkillForge CLI to generate/audit skill directories and (when --pro is used) send skill contents to the user-selected AI provider. The SKILL.md explicitly warns not to audit directories containing secrets. It does not instruct the agent to read unrelated files, hidden system paths, or undisclosed environment variables.
Install Mechanism
The skill is instruction-only (no install spec), but SKILL.md instructs users to run npm install -g @shadoprizm/skillforge. Installing a third-party global npm package runs arbitrary code on the host — this is expected for a CLI but increases risk and should be validated by inspecting the package and its GitHub source. No direct install URL or extract-from-unknown-host behavior is present, which is good, but the absence of an install spec in registry metadata plus contradictory homepage information is a minor red flag.
Credentials
No required env vars are declared at the registry level, and the skill.json sensibly lists several optional API keys (ZAI_API_KEY, OPENAI_API_KEY, OPENROUTER_API_KEY, QWEN_API_KEY) needed only for Pro features — this is proportionate. However, skill.json states keys are stored locally under ~/.skillforge using the 'conf' package and describes storage inconsistently (calls it both encrypted and plaintext-like). Storing API keys locally in cleartext (or in a location with bash-like permissions) is sensitive and should be considered before use.
Persistence & Privilege
The skill does not request always:true, does not declare system config path access, and does not attempt to modify other skills. It uses normal autonomous invocation defaults. No elevated persistence or cross-skill config changes are requested.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install skillforge-cli - 安装完成后,直接呼叫该 Skill 的名称或使用
/skillforge-cli触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.4
Fix: corrected conf storage claim (plaintext, not encrypted). Added content-sending warning for Pro mode audits.
v1.0.3
Full transparency: MIT license, GitHub source, npm package, dependency list, exact API endpoints, encrypted key storage details
v1.0.2
Full metadata transparency: install steps, env vars, network calls, credential handling, source repo
v1.0.1
Added skill.json metadata
v1.0.0
Initial release: skill generator and auditor for OpenClaw
元数据
常见问题
SkillForge 是什么?
Generate and audit OpenClaw agent skills from natural language. Use when the operator asks to create a skill, build a skill, generate a skill, audit a skill,... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 94 次。
如何安装 SkillForge?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install skillforge-cli」即可一键安装,无需额外配置。
SkillForge 是免费的吗?
是的,SkillForge 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
SkillForge 支持哪些平台?
SkillForge 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 SkillForge?
由 shadoprizm(@shadoprizm)开发并维护,当前版本 v1.0.4。
推荐 Skills