← 返回 Skills 市场
spideystreet

Sm Saver

作者 𝑠𝑝𝑖𝑑𝑒𝑦 · GitHub ↗ · v0.0.0-pr-check
cross-platform ⚠ suspicious
372
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install sm-saver
功能描述
Save and digest resources from social media posts (X/Twitter, LinkedIn) or any URL. Use when the user shares a tweet URL, a LinkedIn post, or any link they w...
安全使用建议
This skill mostly does what it says (extracts links, fetches them, summarizes, and appends to a resources.md file), but before installing or running it consider: 1) Confirm the host environment has the expected tools: xurl, python3, and whatever 'summarize' CLI is intended — ask the skill author which 'summarize' binary/service is required. 2) Be aware the skill will fetch arbitrary URLs you supply (or that someone supplies) and could contact internal network addresses — avoid giving it untrusted or internal links, or run it in a sandbox. 3) It will write to ~/workspace/resources.md; ensure you’re comfortable with automated writes to that path. 4) Verify the provenance/trustworthiness of xurl and the summarizer (is summarization done locally or by a remote API that could receive fetched content?). If you need stronger assurance, request the skill author to: declare python3 and summarize in requires.bins, document the summarize implementation, limit or validate which URLs are fetched, and make the output file path configurable instead of hardcoded.
功能分析
Type: OpenClaw Skill Name: sm-saver Version: 0.0.0-pr-check The skill bundle contains a significant command injection vulnerability in SKILL.md. It instructs the agent to execute shell commands and a Python one-liner where user-provided URLs are directly interpolated into the execution string (e.g., `summarize "<url>"` and `urllib.request.Request('<url>', ...)`). While the stated purpose of saving social media resources is plausible, the lack of input sanitization in these `exec` calls allows a crafted URL to execute arbitrary code on the host system. No evidence of intentional malice or data exfiltration was found, but the implementation is highly insecure.
能力评估
Purpose & Capability
The skill name and description match the actions in SKILL.md (extract tweet/LinkedIn content, fetch linked URLs, summarize, append to a resource log). Declaring xurl as a required binary is appropriate for Twitter/X extraction. However the instructions rely on a 'summarize' CLI (used first) and on python3 for a fallback without declaring them as required binaries. Also the skill will write to ~/workspace/resources.md — reasonable for a saver but not declared in metadata as a config path.
Instruction Scope
Instructions tell the agent to fetch arbitrary URLs (via 'summarize' or a python3 fallback that performs HTTP requests) and to append results to ~/workspace/resources.md. Fetching arbitrary URLs is central to the purpose but carries SSRF/side-channel risk (internal endpoints could be contacted if a user or adversary supplies internal URLs). The agent is explicitly instructed to run arbitrary shell commands (exec tool) using user-supplied URLs; the 'summarize' command is underspecified, so it could be local or call remote services. The file write is explicit and will modify user workspace files — this should be visible to the user and authorized.
Install Mechanism
There is no install spec and no code files — instruction-only — so nothing will be written to disk by an installer. This is the lower-risk model for skill distribution.
Credentials
The skill requests no credentials or environment variables, which aligns with its stated purpose. However it omits declaring python3 and the 'summarize' CLI as required binaries, which is an inconsistency (the fallback uses python3; the primary summarizer is unspecified). No secrets are requested, which is good.
Persistence & Privilege
always is false and the skill does not request special platform privileges. It will, if invoked, write to ~/workspace/resources.md (its own artifact) but it does not ask to persist credentials or modify other skills/configs.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install sm-saver
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /sm-saver 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.0.0-pr-check
Slug availability check
元数据
Slug sm-saver
版本 0.0.0-pr-check
许可证
累计安装 0
当前安装数 0
历史版本数 1
常见问题

Sm Saver 是什么?

Save and digest resources from social media posts (X/Twitter, LinkedIn) or any URL. Use when the user shares a tweet URL, a LinkedIn post, or any link they w... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 372 次。

如何安装 Sm Saver?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install sm-saver」即可一键安装,无需额外配置。

Sm Saver 是免费的吗?

是的,Sm Saver 完全免费(开源免费),可自由下载、安装和使用。

Sm Saver 支持哪些平台?

Sm Saver 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Sm Saver?

由 𝑠𝑝𝑖𝑑𝑒𝑦(@spideystreet)开发并维护,当前版本 v0.0.0-pr-check。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论