← 返回 Skills 市场
edkuo7

Smart Skill Finder

作者 Eron · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
109
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install smart-skill-finder
功能描述
Finds and recommends relevant AI agent skills across multiple ecosystems (Skills CLI, Clawhub, GitHub) using intelligent semantic understanding to match user...
安全使用建议
What to check before installing/using this skill: 1) Review and sanitize inputs: the Skills-CLI search runs via subprocess.run with shell=True using user-derived text. If you or the agent runs this code on arbitrary user input, command-injection is possible. Prefer escaping or using a list form for subprocess or otherwise sanitizing the query string. 2) Verify claimed features: the README/SKILL.md advertise semantic-model based understanding, VirusTotal checks, and workspace/memory integration, but the code uses simple keyword matching and I found no VirusTotal or local workspace reads. Treat those claims as marketing until the author provides evidence or code updates. 3) Be cautious with browser automation: the browser discovery code assumes a browser_controller and will drive a browser (open pages, type, press keys). Only run this in a controlled environment and avoid passing credentials or sensitive context to it. 4) Installation commands are returned (git clone, npx, clawhub). Do not execute them automatically — inspect sources (GitHub repo, author) before cloning/running third-party skills. Consider cloning into a sandboxed VM/container and scanning the repo before use. 5) If you plan to run this skill in production or allow it to be invoked autonomously, request the author to: - Remove shell=True usage or properly escape/validate user inputs; use subprocess.run([...]) list form. - Make security-scanning calls explicit (show how VirusTotal/OpenClaw are queried and where API keys would be stored if needed). - Document the browser_controller contract and provide safe default behavior. Given these issues (misleading claims + a real shell-injection pattern), review and remediation are recommended before trusting the skill in an environment with sensitive data or in which the agent can run code autonomously.
功能分析
Type: OpenClaw Skill Name: smart-skill-finder Version: 1.0.0 The skill bundle contains a shell injection vulnerability in 'scripts/ecosystems.py' within the 'search_skills_cli' function. User-provided keywords are embedded directly into a command string executed via 'subprocess.run' with 'shell=True', allowing for arbitrary command execution if the input contains shell metacharacters (e.g., double quotes). While the skill's logic for discovering agent skills across Clawhub, GitHub, and Skills CLI appears legitimate and well-documented, this implementation flaw poses a significant security risk.
能力评估
Purpose & Capability
The code implements multi-ecosystem search (Clawhub, Skills CLI, GitHub) and returns install commands — this aligns with the stated purpose. However the README/SKILL.md claim higher-level features ("OpenClaw's semantic understanding", VirusTotal security checks, workspace/memory integration, learning over time) that are not actually implemented in the provided code (the query understanding is simple keyword matching). The mismatch between claimed semantic capabilities and the simple keyword logic is an over‑claim, not outright malicious, but it's misleading.
Instruction Scope
SKILL.md promises read-only, safe behavior and says it never executes installs automatically — the implementation appears to respect that (it formats install commands rather than running them). However the ecosystems module executes external commands to search the Skills CLI using subprocess.run with shell=True and a command string constructed from user queries (e.g., `npx skills find "{search_terms}" --json`). Because search_terms are derived from the user query with minimal escaping, this creates a command‑injection risk if that code is invoked with untrusted input. The code also includes browser automation logic that assumes a browser_controller interface and will drive a browser snapshot/type/press_key flow; that can interact with remote sites and scrape content. Additionally, the skill claims workspace awareness and memory integration but I see no file-reading or memory calls in the code — this is a scope mismatch.
Install Mechanism
There is no install spec and no packaged native installer — the skill is included as code files (no external downloads during install). That lowers install-time risk. The code does build install commands (git clone, npx add, clawhub install) but those are only returned to the user, not executed by the skill itself.
Credentials
The skill requests no environment variables or credentials, which is proportionate. However documentation references (VirusTotal/OpenClaw security scanning) are present even though I found no code calling VirusTotal or other security services. Also GitHub API calls are made unauthenticated (no token requested), which is reasonable but may be rate-limited; nothing in the repo requests unrelated credentials.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and doesn't write persistent configuration as part of an install spec. It returns install commands but does not, in the provided code, automatically run them or persist credentials.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install smart-skill-finder
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /smart-skill-finder 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of Smart Skill Finder — an intelligent skill discovery tool for AI agents. - Finds and recommends relevant AI agent skills using semantic understanding of user requests. - Searches across multiple ecosystems (Skills CLI, Clawhub, GitHub) and ranks by relevance. - Provides verified, secure installation guidance and highlights security status where available. - Handles nuanced natural language queries and works reliably even if some sources are offline. - Limits results to the top 3 most relevant skills for clear, actionable recommendations.
元数据
Slug smart-skill-finder
版本 1.0.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

Smart Skill Finder 是什么?

Finds and recommends relevant AI agent skills across multiple ecosystems (Skills CLI, Clawhub, GitHub) using intelligent semantic understanding to match user... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 109 次。

如何安装 Smart Skill Finder?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install smart-skill-finder」即可一键安装,无需额外配置。

Smart Skill Finder 是免费的吗?

是的,Smart Skill Finder 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Smart Skill Finder 支持哪些平台?

Smart Skill Finder 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Smart Skill Finder?

由 Eron(@edkuo7)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论