← 返回 Skills 市场
chris6970barbarian-hue

Skillstore

作者 Glitch · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
761
总下载
0
收藏
4
当前安装
1
版本数
在 OpenClaw 中安装
/install skillstore
功能描述
Search, install, and create OpenClaw skills using intelligent matching across built-in, local, and GitHub skill repositories.
安全使用建议
This skill appears to do what it says: search built-in/local/GitHub skills and install/create skills. Before installing or using it, review the main.js install/exec logic (look for exactly what commands it runs when installing a GitHub repo). Expect the CLI to read sibling skill directories (it scans SKILL.md/README.md), and expect it to write a local config.json in the skill directory. When installing a skill from GitHub, manually inspect the repo (or test in an isolated environment) because installers commonly shell out and may run repo-provided scripts. Also note the docs claim a different local-skill path (~/.openclaw/...) than the code uses — verify where it will actually search on your system if that matters.
功能分析
Type: OpenClaw Skill Name: skillstore Version: 1.0.0 The `main.js` file contains a critical shell injection vulnerability (RCE) in the `installFromGitHub` function. It uses `child_process.exec` with unsanitized `repo` and `name` variables, which are directly sourced from GitHub API responses. A malicious GitHub repository with a crafted name could exploit this to execute arbitrary commands on the system when a user attempts to install it. Additionally, the `createNewSkill` function, when invoked via `skillstore create <name>`, is vulnerable to code injection as it embeds the unsanitized `<name>` argument directly into the generated `main.js` template, allowing for arbitrary code to be injected into newly created skills.
能力评估
Purpose & Capability
Name/description (search/install/create skills) align with the included code and docs. Minor mismatch: SKILL.md says local skills are in ~/.openclaw/workspace/skills/, but main.js.searchLocal looks at the parent directory of the skill (path.join(__dirname, '..')). That's inconsistent but plausibly an implementation detail.
Instruction Scope
SKILL.md instructs searching known, local, and GitHub sources and installing from GitHub. main.js implements these searches, reads local skill files (SKILL.md/README.md) in sibling directories, queries the GitHub search API, and references child_process.exec (used for installs). The instructions do not show exact install commands the script will run — the presence of exec means installs could run arbitrary shell commands from repos, which is expected behavior for an installer but increases risk if you don't review targets first.
Install Mechanism
No install spec is declared (instruction-only), and no external archive downloads or extract steps are present in repository metadata. The included main.js uses HTTPS to call the GitHub API and uses child_process.exec for operations (likely cloning/installing). No suspicious external download URLs or shorteners were found in the provided files.
Credentials
The skill declares no required env vars or credentials and its code does not read secrets or environment variables. It uses only public GitHub API calls and local filesystem access relative to the skill location.
Persistence & Privilege
The skill is not always-enabled, and it stores state in a local config.json (CONFIG_FILE in its directory). It does not request elevated privileges or modify other skills' configs according to the provided files.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install skillstore
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /skillstore 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
SkillStore is a new skill manager for OpenClaw, providing intelligent search, install, and skill creation features. - Search for skills (built-in, local, and on GitHub) with fuzzy matching and relevance scores. - Install skills directly from GitHub. - Create new skills using templates via `skillstore create <name>`. - Visual match scoring makes it easy to assess relevance at a glance. - List installed skills and browse the built-in database of 20 popular skills. - No setup required—works out of the box.
元数据
Slug skillstore
版本 1.0.0
许可证
累计安装 4
当前安装数 4
历史版本数 1
常见问题

Skillstore 是什么?

Search, install, and create OpenClaw skills using intelligent matching across built-in, local, and GitHub skill repositories. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 761 次。

如何安装 Skillstore?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install skillstore」即可一键安装,无需额外配置。

Skillstore 是免费的吗?

是的,Skillstore 完全免费(开源免费),可自由下载、安装和使用。

Skillstore 支持哪些平台?

Skillstore 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Skillstore?

由 Glitch(@chris6970barbarian-hue)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论