← 返回 Skills 市场
96
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install smart-agent-template
功能描述
Smart Agent 工作流模板:三重判断机制 + 自动更新 + Context 优化。包含完整的任务执行规范、WBS 拆分、流程豁免阈值、记忆管理等最佳实践。
安全使用建议
Before installing or running this skill: 1) Treat the repo as code that will run on your system — audit scripts/auto_update.sh and any start scripts. 2) Disable automatic updates (set config/auto_update.yaml enabled: false and do not run auto_update.sh) until you trust the source. 3) Inspect any code that will be run on startup (bot entrypoints, auto-update, health/metrics scripts) and verify they don't call external URLs you don't expect. 4) Be cautious about enabling integrations — only set FEISHU/TELEGRAM/CLAUDE/OPENAI/OLLAMA credentials if you reviewed the integration code; keep secrets out of shared/mounted workspaces. 5) If you plan to let other agents 'read and obey' AGENTS.md or inject it into system prompts, be aware this is effectively a system-prompt override; only do so with fully audited content. 6) Prefer running in an isolated environment (container or VM) and limit network access until you've audited the update mechanism and webhook handlers. 7) If you need higher assurance, ask the publisher for a source URL / signed release; absence of a homepage and unknown owner ID reduces trust.
功能分析
Type: OpenClaw Skill
Name: smart-agent-template
Version: 1.1.0
The skill bundle is classified as suspicious due to several high-risk security practices and intentional security bypasses. Most notably, 'integrations/feishu/start_longconn.sh' and 'integrations/feishu/start_bot.py' explicitly disable SSL certificate verification, with the former even using a Python script to patch the 'lark-oapi' library code on the local disk to force an unverified SSL context. Additionally, 'scripts/auto_update.sh' implements an auto-update mechanism that performs a 'git pull' from a remote repository (github.com/whhaijun/agent-workflow.git), which introduces a significant supply chain risk and potential for remote code execution. While these appear to be misguided 'convenience' features for developers, they create critical vulnerabilities like Man-in-the-Middle (MITM) and unauthorized code execution.
能力评估
Purpose & Capability
The files and code (memory manager, WBS, multi-agent docs, Telegram/Feishu bot integrations, ChromaDB/OpenClaw/Ollama guides) are broadly coherent with a 'smart agent workflow' template. However the registry metadata declares no required env vars or binaries while the included integration code and docs clearly expect many credentials and local services (Telegram token, Feishu app secrets, Claude/OpenAI API keys, Ollama local service, ChromaDB, OpenClaw). That mismatch is unexpected and should be justified by the author.
Instruction Scope
Runtime instructions and docs direct agents to read and enforce AGENTS.md (which the skill suggests embedding into other agents' system prompts), to auto-check/pull updates from GitHub/Gitee on startup, to run networked bots (webhooks/polling), and to access local memory files. The SKILL/README explicitly recommends making other agents 'read and obey' AGENTS.md (prompt injection risk). These instructions go beyond passive guidance and enable updating behavior and system-prompt modification.
Install Mechanism
There is no declared install spec, but the package contains scripts such as scripts/auto_update.sh and start scripts. The default auto_update.yaml enables update checks on startup (enabled: true, check_on_startup: true) and mentions silent updates. Automatic pull-and-update behavior from remote repositories creates a remote code execution/update vector unless you audit/disable it first.
Credentials
Registry lists no required environment variables, yet many files and docs require/expect secrets and endpoints (FEISHU_APP_ID/SECRET/VERIFICATION_TOKEN/ENCRYPT_KEY, TELEGRAM_BOT_TOKEN, CLAUDE_API_KEY, OPENAI_API_KEY, OLLAMA_BASE_URL, CHROMA/DB dirs, etc.). Requiring none in metadata while shipping integration code that needs sensitive credentials is an incoherence and raises risk of accidental credential exposure or misconfiguration.
Persistence & Privilege
The skill isn't marked always:true, but it defaults to auto-update on startup and provides scripts to check and pull remote changes. That gives it potential to change its own code after installation (automatic updates) which increases blast radius. It does not appear to modify other skills' configs, but the ability to fetch and install updates silently is a privilege that should be controlled.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install smart-agent-template - 安装完成后,直接呼叫该 Skill 的名称或使用
/smart-agent-template触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
新增自动更新功能 + 流程豁免阈值
v1.0.0
- Initial release of the smart-agent-workflow skill.
- Provides a systematic AI agent methodology focused on high quality, high efficiency, and high cost-saving.
- Features include task type identification, WBS decomposition, P0/P1 task reporting, safety checks, and context management.
- Designed to be channel-agnostic; works with Claude Code, Cursor, Codex, OpenClaw, and any AI agent.
- Offers practical setup guides and recommended installation combinations for easy adoption.
元数据
常见问题
Smart Agent Template 是什么?
Smart Agent 工作流模板:三重判断机制 + 自动更新 + Context 优化。包含完整的任务执行规范、WBS 拆分、流程豁免阈值、记忆管理等最佳实践。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 96 次。
如何安装 Smart Agent Template?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install smart-agent-template」即可一键安装,无需额外配置。
Smart Agent Template 是免费的吗?
是的,Smart Agent Template 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Smart Agent Template 支持哪些平台?
Smart Agent Template 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Smart Agent Template?
由 Mark(@whhaijun)开发并维护,当前版本 v1.1.0。
推荐 Skills