← 返回 Skills 市场
SkillHub Manager
作者
codeblackhole
· GitHub ↗
· v1.0.3
· MIT-0
159
总下载
0
收藏
1
当前安装
3
版本数
在 OpenClaw 中安装
/install skillhub-manager
功能描述
Manage and publish agent skills on SkillHub and ClawHub. Best for developers and operators who need a repeatable workflow to search skills, inspect packages,...
安全使用建议
This skill appears to do what it says (use the clawhub CLI to inspect and publish skills) but its manifest is incomplete. Before installing or letting an agent run it: (1) ensure 'npx' / Node/npm will be available where the agent runs — the SKILL.md assumes it but the package metadata does not declare it; (2) be cautious about providing API tokens: prefer short-lived, least-privilege tokens and do not share long-lived credentials; (3) when asked to publish a local folder, verify the folder contents yourself (avoid including secrets, private keys, or credentials in the published package); (4) consider running the 'inspect' and 'search' commands yourself first to validate the registry and the clawhub CLI behavior; and (5) ask the skill author to update the metadata to explicitly declare required binaries and environment variables (npx, SKILLHUB_API_TOKEN/CLAWHUB_*), or treat the tool as 'read-only' (search/inspect) unless you explicitly consent to publishing with a controlled token. If you want, I can list the exact commands the agent would run and which pieces of data it will request so you can decide what to allow.
功能分析
Type: OpenClaw Skill
Name: skillhub-manager
Version: 1.0.3
The skill bundle is a legitimate utility for managing and publishing agent skills using the `clawhub` CLI. It includes strong safety guardrails in `SKILL.md` and `references/workflows.md`, specifically mandating a 'Mandatory Interaction Pattern' where the agent must ask for a registry address, repeat it back for confirmation, and state the exact command before execution. There is no evidence of data exfiltration, malicious prompt injection, or unauthorized access; it follows standard CLI authentication and environment variable patterns for registry management.
能力评估
Purpose & Capability
The name/description (manage and publish skills via SkillHub/ClawHub) aligns with the SKILL.md which instructs using the 'npx clawhub' toolchain to search, inspect, and publish. That capability legitimately requires a tool like 'npx' / Node/npm and the ability to read local skill folders and, when publishing, to use an API token. However, the skill metadata declares no required binaries or env vars while the runtime instructions clearly depend on 'npx' and token-related environment variables — an omission that makes the package metadata incomplete.
Instruction Scope
SKILL.md explicitly instructs the agent to: ask for and confirm a registry address, run 'npx clawhub' commands, validate existing tokens with 'npx clawhub whoami', read and publish a local folder (e.g., ./my-skill), and accept tokens from the user or environment. These actions (reading local directories, invoking npx, handling API tokens) go beyond passive observation. The instructions correctly require user confirmation for registry selection which is good, but they also reference environment variables (SKILLHUB_API_TOKEN, CLAWHUB_API_TOKEN, CLAWHUB_TOKEN) and local filesystem access without that being declared in the manifest — a mismatch worth flagging.
Install Mechanism
There is no install spec (instruction-only), which is lower risk because no archives are downloaded or code written to disk by the skill bundle itself. However, the runtime relies on 'npx' to fetch/execute the 'clawhub' CLI at runtime; this reliance on npx/npm network fetches is not documented in the package metadata and should be disclosed to users.
Credentials
The skill declares no required environment variables, but the instructions tell the agent to check for and possibly use SKILLHUB_API_TOKEN, CLAWHUB_API_TOKEN, and CLAWHUB_TOKEN, or to ask the user for an API token to log in. Requesting an API token is expected for publishing, but the manifest should declare that tokens/credentials are used. Because tokens allow publish actions and could be sensitive, the absence of explicit env var requirements and lack of guidance about token scope or lifetime is a proportionality/clarity concern.
Persistence & Privilege
The skill does not request persistent or always-on privileges (always:false) and does not attempt to modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not combined here with other high-privilege requests, so no additional persistence-related concern is evident.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install skillhub-manager - 安装完成后,直接呼叫该 Skill 的名称或使用
/skillhub-manager触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.3
Add strict ask-confirm-execute SkillHub address workflow
v1.0.1
Fix registry guidance and add README
v1.0.0
Initial public release
元数据
常见问题
SkillHub Manager 是什么?
Manage and publish agent skills on SkillHub and ClawHub. Best for developers and operators who need a repeatable workflow to search skills, inspect packages,... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 159 次。
如何安装 SkillHub Manager?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install skillhub-manager」即可一键安装,无需额外配置。
SkillHub Manager 是免费的吗?
是的,SkillHub Manager 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
SkillHub Manager 支持哪些平台?
SkillHub Manager 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 SkillHub Manager?
由 codeblackhole(@codeblackhole1024)开发并维护,当前版本 v1.0.3。
推荐 Skills