← 返回 Skills 市场
677
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install source-library
功能描述
Searchable knowledge base that captures and cross-references everything users share. Auto-triggers when user shares ANY URL (article, tweet, thread, repo, vi...
安全使用建议
This skill appears to do what it says: create and manage a local markdown knowledge base. Before installing or enabling auto-triggering, consider the following:
- Privacy: the skill auto-processes and saves any URL shared in chat. If you (or other users) sometimes post private links, one-off auth-bearing URLs, or internal resources, those could be written to disk. Avoid sharing sensitive links while it's enabled or disable the auto-trigger.
- Workspace location: set OPENCLAW_WORKSPACE to a directory you control (or run setup in a sandbox workspace) so saved files go where you expect (life/source/*). Review permissions on that directory.
- Inspect remainder of code: the provided source shows only filesystem operations; however a truncated portion remains. Review the full scripts/source-library.js to confirm there are no network fetches or remote endpoints used when auto-processing.
- Run tests in a sandbox: run scripts/test.js with OPENCLAW_WORKSPACE pointed to a disposable temp directory to see behavior and outputs before using with real data.
- Canonicalization limits: the code strips some tracking params (utm_*, fbclid, gclid, etc.) but will not remove secrets embedded in URL paths or uncommon query param names. Be careful with token-bearing URLs.
- Control auto-processing: if you want the library but not automatic captures, install the skill but do not enable the agent-side auto-trigger, or use the CLI manually to save only links you want persisted.
If you want me to, I can (a) scan the remaining truncated portion of scripts/source-library.js for network activity and hidden behavior, (b) produce a checklist of file-system paths and example commands to sandbox the skill safely, or (c) highlight exact lines to change to disable automatic saving.
功能分析
Type: OpenClaw Skill
Name: source-library
Version: 2.1.1
The skill is vulnerable to shell injection due to the `SKILL.md`'s auto-trigger behavior combined with `allowed-tools: "Bash(node:*)"`. The agent is instructed to execute `node scripts/source-library.js save` with arguments derived from user-shared URLs (e.g., `--name`, `--url`, `--claims`). If these user-controlled values are not properly sanitized by the agent before constructing the Bash command, a malicious user could inject arbitrary shell commands. Additionally, the agent is instructed to 'Analyze with context' using content from user-populated markdown files, creating a potential prompt injection vector against the agent itself.
能力评估
Purpose & Capability
Name/description match what is provided: Node.js scripts that create and manage a local markdown-based knowledge base under life/source. The skill requires no credentials, no external binaries, and the code reads/writes workspace files to implement the described features (save, list, search, connections, queue). There are no environment variables or binaries requested that are unrelated to the purpose.
Instruction Scope
SKILL.md instructs the agent to auto-process any URL shared in chat and to run the included node script commands. The runtime instructions and code operate on workspace files and call node scripts via shell (allowed-tools 'Bash(node:*)'), which is consistent with the described behavior. This auto-triggering can capture links the user didn't intend to persist. The visible code performs filesystem traversal to find a workspace root and reads/writes files under life/source; that is coherent but has privacy implications. The provided files do not show arbitrary network calls, but the SKILL.md implies automatic analysis (agent-level summarization) — review the rest of the code (the truncated portion) to confirm no web fetching or remote endpoints are contacted when auto-processing.
Install Mechanism
No install spec is provided (instruction-only install), so nothing is downloaded or extracted during install. The package includes only local Node.js scripts and a package.json; there are no remote URLs, third-party packages fetched by the skill itself, or installation steps that would pull arbitrary code from the network.
Credentials
The skill requests no secrets or API keys. It optionally respects OPENCLAW_WORKSPACE to locate the workspace root, which is proportionate. There are no credentials or config paths declared that would grant access to unrelated services.
Persistence & Privilege
always:false and disable-model-invocation:false (defaults) — the skill can be invoked autonomously by the agent, and SKILL.md describes automatic triggers on shared URLs. The skill writes persistent markdown files under the user's workspace (life/source). This is expected for a knowledge-base skill, but combined with the auto-capture behavior it increases the risk of unintentionally persisting sensitive URLs or metadata. The skill does not request system-wide privileges or attempt to modify other skills' configs.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install source-library - 安装完成后,直接呼叫该 Skill 的名称或使用
/source-library触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.1.1
Clean republish, improved README with usage examples
v2.1.0
Decay tracking, cross-references, conflict detection, connection mapping, hybrid search support
元数据
常见问题
Source Library 是什么?
Searchable knowledge base that captures and cross-references everything users share. Auto-triggers when user shares ANY URL (article, tweet, thread, repo, vi... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 677 次。
如何安装 Source Library?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install source-library」即可一键安装,无需额外配置。
Source Library 是免费的吗?
是的,Source Library 完全免费(开源免费),可自由下载、安装和使用。
Source Library 支持哪些平台?
Source Library 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Source Library?
由 Don-GBot(@don-gbot)开发并维护,当前版本 v2.1.1。
推荐 Skills