← 返回 Skills 市场
610
总下载
1
收藏
4
当前安装
1
版本数
在 OpenClaw 中安装
/install sync-trending
功能描述
Monitior technology trends (GitHub, etc.), contextualize them against the user's project, and autonomously verify them through installation and testing. Use...
安全使用建议
This skill does what it says — it will look at your local project and, if you approve, clone and run third‑party repositories to verify them. That is powerful but risky: cloning and installing dependencies can execute arbitrary code (via postinstall scripts or build steps) and might access or leak data. Before using this skill, consider the following: 1) Only allow deep dives when you trust the repository and explicitly grant permission each time. 2) Prefer the skill be changed to use strong isolation (run clones inside a disposable VM or container, drop privileges, and avoid cloning into your home directory). 3) Require and enforce dependency isolation (Python virtualenv/venv, use npm ci with --ignore-scripts or install in a container) to reduce postinstall risk. 4) Never let it access secrets or environment variables; verify the agent's memory ('save_memory') does not contain sensitive data. 5) If you need stronger guarantees, run manual verifications yourself in an isolated environment or ask the skill author to add explicit sandboxing instructions. Providing the skill with explicit sandbox/container steps or a policy that forbids global installs would reduce my concern.
功能分析
Type: OpenClaw Skill
Name: sync-trending
Version: 0.1.0
This skill is classified as suspicious due to its inherent design to execute arbitrary, untrusted code from external sources. The `SKILL.md` explicitly instructs the agent to use `run_shell_command` to `git clone` repositories and then run build/install commands (`npm install`, `pip install`, `npm start`) based on instructions found in the untrusted repository's `README.md`. While the skill includes safety guidelines like requiring explicit user permission, cloning into a temporary directory, and instructing the agent not to expose secrets, the act of executing code from untrusted trending repositories (a known supply chain attack vector) poses a significant risk of remote code execution if a trending project is malicious or compromised. This represents a critical vulnerability rather than intentional malice by the skill itself.
能力评估
Purpose & Capability
Name/description match the instructions: fetching trending sources, contextualizing against the user's project, and verifying repos by cloning/running them are coherent with the skill's stated purpose.
Instruction Scope
The SKILL.md directs the agent to read local project files (README.md, package.json) and — with user permission — to git clone, install dependencies, and run third‑party code. While it requires asking permission before cloning/executing, it lacks concrete, safe sandboxing steps (containerization, virtualenv, non-root user), and it explicitly clones into a home subdirectory (~/.gemini/tmp/) rather than an isolated ephemeral environment.
Install Mechanism
Instruction-only skill with no install spec or external downloads; this minimizes install-time risk. The primary risk comes from runtime behavior (cloning and running untrusted code), not from the skill installing software itself.
Credentials
The skill requests no environment variables or credentials, which is appropriate, but it instructs reading local project files and checking 'save_memory' — actions that can expose secrets. The SKILL.md advises not to expose secrets but does not specify how to detect or avoid accidentally reading/transmitting them. Dependency installs (npm/pip) and repository code may trigger arbitrary network activity or postinstall scripts that access local resources.
Persistence & Privilege
always:false and default model invocation are appropriate. The skill does not request permanent presence or modify other skills. The main privilege concern is runtime (ability to clone/run code) rather than persistence.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install sync-trending - 安装完成后,直接呼叫该 Skill 的名称或使用
/sync-trending触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial release of sync-trending.
- Monitors technology trends (e.g., GitHub Trending) and contextualizes them for the user's project.
- Provides "Contextualized Trend Reports" linking trending tools to project-specific value.
- Offers to verify trends by cloning and testing repositories, with explicit user permission.
- Summarizes verification outcomes and, if desired, generates actionable reports or integration plans.
- Includes strong safety guidelines for handling third-party code.
元数据
常见问题
sync-trending 是什么?
Monitior technology trends (GitHub, etc.), contextualize them against the user's project, and autonomously verify them through installation and testing. Use... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 610 次。
如何安装 sync-trending?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install sync-trending」即可一键安装,无需额外配置。
sync-trending 是免费的吗?
是的,sync-trending 完全免费(开源免费),可自由下载、安装和使用。
sync-trending 支持哪些平台?
sync-trending 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 sync-trending?
由 K(@likw99)开发并维护,当前版本 v0.1.0。
推荐 Skills