← 返回 Skills 市场
jiayao0810

skillhub-auto-installer

作者 Jiayao0810 · GitHub ↗ · v1.0.2 · MIT-0
cross-platform ⚠ suspicious
125
总下载
0
收藏
1
当前安装
3
版本数
在 OpenClaw 中安装
/install skillhub-auto-installer
功能描述
搜索 Skillhub 技能市场,发现可用技能。 此技能仅提供搜索功能,不执行任何安装或本地文件操作。 关键词: skillhub, 搜索技能, findskill, 技能发现, 技能市场
安全使用建议
Do not trust the 'read-only' claim without manual verification. The package contains multiple installer scripts (install.sh, secure-install.sh, pre-install-check.sh, security-check.sh) that will download and write code into a local workspace (e.g. /home/gem/workspace/agent) using 'npx ... skills add' and may execute audit scripts from downloaded skills. Before installing or running any scripts: 1) Inspect the scripts line-by-line to confirm what they do; 2) Only run the search script (search.sh) in a sandbox or non-production environment if you only want read-only behavior; 3) Do not run install/secure-install scripts unless you explicitly trust skills.volces.com and the target skill owner, and after manually reviewing the remote SKILL.md and code; 4) Prefer running manual install commands yourself rather than allowing the agent to run them; 5) Ask the skill author to clarify why installer scripts are bundled despite the read-only claim or to remove them if they are unnecessary. If the author confirms removal of installer scripts or updates the SKILL.md and metadata to accurately reflect capabilities, this assessment should be revisited.
功能分析
Type: OpenClaw Skill Name: skillhub-auto-installer Version: 1.0.2 The bundle exhibits deceptive behavior by explicitly stating in SKILL.md that it 'does not execute any installation' and is 'search only,' while simultaneously providing multiple scripts (install.sh, secure-install.sh) that perform remote code installation via npx. Additionally, pre-install-check.sh forces the installation of a third-party 'security' tool (SkillSentry) from a specific external URL (https://skills.volces.com/skills/clawhub/poolguy24), which is a common social engineering tactic used to introduce secondary payloads under the guise of a security audit.
能力评估
Purpose & Capability
The name/description and SKILL.md repeatedly state the skill only searches Skillhub and 'does not perform installation or local file operations', yet the repo includes install.sh, secure-install.sh, pre-install-check.sh and security-check.sh which run 'npx ... skills add', cd into /home/gem/workspace/agent, read/write the skills directory, and run local audit scripts. Requiring node/npx and network access makes sense for search, but presence of installation scripts is disproportionate to the claimed read-only purpose.
Instruction Scope
The runtime SKILL.md emphasizes read-only behavior and shows using search.sh, but the distributed files contain scripts that will perform installs, run remote downloads, execute audit scripts from downloaded content, and inspect local paths. The instructions also include manual install commands that would download/execute remote code. This contradicts the 'no local file system access / no installation' claims and grants the skill the ability to modify local state if those scripts are run.
Install Mechanism
There is no declared install spec, but the scripts rely on 'npx -y skills add' to pull code from https://skills.volces.com and copy it into a local skills directory. Using npx to fetch and extract remote skill packages is a moderate risk (downloads and writes remote code to disk). The host used is consistent across scripts (skills.volces.com) — not an obfuscated/personal IP — but scripts also hardcode paths like /home/gem/workspace/agent which is unexpected and brittle.
Credentials
Registry metadata lists no required env vars, but SKILL.md and scripts use SKILLS_API_URL and reference OPENCLAW_STATE_DIR and rely on node/npx. The SKILL.md declares node/npx/network as runtime dependencies but the package files also access and modify local filesystem paths and check for SkillSentry in various local locations — this local access is not reflected in the metadata and is inconsistent with the skill's stated 'no local access' promise.
Persistence & Privilege
always:false (normal). The scripts, if executed, write into the agent's skills directory and run installers that could add new skills to the environment. That grants the skill the ability to change agent state, but the package does not request 'always' or explicit elevated flags. Autonomous invocation is enabled by default; combined with the presence of install scripts this increases the blast radius if the agent were to run them without user confirmation.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install skillhub-auto-installer
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /skillhub-auto-installer 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
skillhub-auto-installer v1.0.2 - 简化并精炼 SKILL.md,明确声明技能只用于搜索,不执行安装或本地操作 - 新增 scripts/search.sh 脚本,支持仅搜索 Skillhub 技能市场 - 移除安全审计和手动安装流程相关说明,聚焦只读搜索功能 - 强化安全说明,强调不会访问本地文件或读取配置
v1.0.1
**Summary:** This version clarifies scope and enhances installation safety guidance. - Updated documentation to state that the skill only searches and recommends skills—it no longer performs automatic installation. - Added section clearly requiring manual user confirmation and installation for all skills. - Included recommended secure installation procedure using SkillSentry. - Added `scripts/pre-install-check.sh` for pre-installation safety checks. - Expanded safety instructions and risk warnings for users.
v1.0.0
Skillhub Auto-Installer 1.0.0 - 全新发布:支持自动搜索、筛选并一键安装 Skillhub 技能 - 集成 SkillSentry,安装前后自动进行安全扫描与审计 - 智能匹配最适合用户需求的技能,并提供安全报告 - 支持关键词搜索、技能详情展示和结果筛选 - 提供命令行工具文档,支持手动安全检查
元数据
Slug skillhub-auto-installer
版本 1.0.2
许可证 MIT-0
累计安装 1
当前安装数 1
历史版本数 3
常见问题

skillhub-auto-installer 是什么?

搜索 Skillhub 技能市场,发现可用技能。 此技能仅提供搜索功能,不执行任何安装或本地文件操作。 关键词: skillhub, 搜索技能, findskill, 技能发现, 技能市场. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 125 次。

如何安装 skillhub-auto-installer?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install skillhub-auto-installer」即可一键安装,无需额外配置。

skillhub-auto-installer 是免费的吗?

是的,skillhub-auto-installer 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

skillhub-auto-installer 支持哪些平台?

skillhub-auto-installer 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 skillhub-auto-installer?

由 Jiayao0810(@jiayao0810)开发并维护,当前版本 v1.0.2。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论