← 返回 Skills 市场
SupaSkills
作者
Kill The Dragon
· GitHub ↗
· v1.1.0
603
总下载
0
收藏
3
当前安装
1
版本数
在 OpenClaw 中安装
/install supaskills
功能描述
Search and load 1,000+ quality-scored expert skills from SupaSkills.ai
安全使用建议
This skill appears to do what it says (search and load SupaSkills prompts) and uses only the SupaSkills API. However, the SKILL.md requires SUPASKILLS_API_KEY while the registry metadata does not declare it — ask the publisher to fix the metadata. Before installing: verify the supaskills.ai domain and publisher (homepage/repo), only supply an API key you control and can revoke, store it in a secrets manager (not checked into git), and consider disabling autonomous invocation for this skill if you don't want the agent to call the third-party API without explicit approval. If you need higher assurance, request the skill's source or API docs and confirm the key's scope and rate limits.
功能分析
Type: OpenClaw Skill
Name: supaskills
Version: 1.1.0
The `SKILL.md` file defines `curl` commands that incorporate user-controlled parameters (`{query}` and `{slug}`) directly into shell commands. If the OpenClaw agent executes these commands without proper input sanitization, it introduces a significant shell injection vulnerability (potential RCE). While the skill's stated purpose is to interact with `supaskills.ai` and there is no clear evidence of intentional malicious behavior like data exfiltration to unrelated domains or persistence mechanisms, this critical vulnerability warrants a 'suspicious' classification.
能力评估
Purpose & Capability
The name and description (search/load SupaSkills prompts) align with the SKILL.md instructions: both describe searching the SupaSkills API and loading a skill prompt to use as expert reference. There is no request for unrelated binaries or services in the instructions.
Instruction Scope
Runtime instructions stay within the stated purpose: they call SupaSkills API endpoints via curl, present results to the user, and instruct the agent to use returned text as reference while not treating it as an override. The instructions do not reference unrelated system files, other credentials, or unexpected external endpoints.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk or fetched during install — lowest-risk install posture.
Credentials
SKILL.md requires an API key (SUPASKILLS_API_KEY) and shows curl examples using an Authorization header, which is appropriate for the service. However, the registry metadata lists no required environment variables or primary credential — that mismatch is an incoherence. The skill asks the user to store a secret in env vars (and even documents the key prefix), so the metadata should have declared this. Confirming the API key scope and whether the key can be rotated/revoked is recommended.
Persistence & Privilege
The skill is not 'always' enabled and is user-invocable; model invocation is allowed (normal). There is no install-time persistence or modifications to other skills/configs. Note: autonomous invocation + an external API key increases blast radius if the key is misused, but here that is a standard pattern for API-backed skills.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install supaskills - 安装完成后,直接呼叫该 Skill 的名称或使用
/supaskills触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
Security: safe prompt loading, API key warning, error handling
元数据
常见问题
SupaSkills 是什么?
Search and load 1,000+ quality-scored expert skills from SupaSkills.ai. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 603 次。
如何安装 SupaSkills?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install supaskills」即可一键安装,无需额外配置。
SupaSkills 是免费的吗?
是的,SupaSkills 完全免费(开源免费),可自由下载、安装和使用。
SupaSkills 支持哪些平台?
SupaSkills 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 SupaSkills?
由 Kill The Dragon(@ktdmax)开发并维护,当前版本 v1.1.0。
推荐 Skills