← 返回 Skills 市场
Topic Research
作者
Abigale-cyber
· GitHub ↗
· v1.0.0
· MIT-0
96
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install topic-research
功能描述
Run a second-hop deep research pass through the Tavily CLI after an initial scan, then normalize the result into a local `research.md` contract. Use when Cod...
安全使用建议
This skill legitimately wraps a Tavily CLI workflow to produce normalized research reports, but before installing or running it:
- Expect to install and trust a third‑party CLI (tvly). Audit the installer (https://cli.tavily.com/install.sh) before running curl | bash. Prefer installing from a reviewed package or vendor documentation if possible.
- Confirm the manifest is updated to declare 'tvly' as a required binary so the skill's declared requirements match its runtime needs.
- When creating the input markdown, avoid giving an absolute source_file that points outside the project (the skill will read absolute paths). Treat inputs as untrusted and run the skill in a workspace that contains no secrets.
- Be aware the skill will write files into content-production/inbox/ and content-production/inbox/raw/research/ and may overwrite existing files.
If you need higher assurance, request the author to: (1) add 'tvly' to required binaries in the registry metadata, (2) remove or restrict absolute-path reads for source_file, and (3) avoid recommending curl|bash installs in the README (or provide a pinned, auditable installer).
功能分析
Type: OpenClaw Skill
Name: topic-research
Version: 1.0.0
The topic-research skill uses the Tavily CLI to perform deep research and generate reports. It is classified as suspicious due to a path traversal vulnerability in runtime.py; the resolve_source_file function allows the source_file parameter to be an absolute path, which could be exploited to read arbitrary files on the system (e.g., /etc/passwd) if a crafted input markdown is provided. While the README.md suggests a risky curl|bash installation method for the Tavily CLI, there is no evidence of intentional malicious behavior or data exfiltration in the code itself.
能力评估
Purpose & Capability
The SKILL.md and runtime.py clearly require the 'tvly' (Tavily) CLI to be installed and available on PATH, and the README instructs running an external install script (curl | bash). However the registry metadata lists no required binaries or primary credential — that mismatch is incoherent. A research skill that depends on a third‑party CLI should declare that dependency explicitly in the manifest.
Instruction Scope
Instructions are focused on building a query, calling 'tvly research --json', parsing JSON, and writing a normalized markdown and raw JSON into content-production/inbox/. That matches the stated purpose. Two points to watch: (1) the code allows 'source_file' in frontmatter to be an absolute path and will read it as-is — that enables the skill to read arbitrary files if the input frontmatter is malicious or mistaken; (2) the skill will write files into repo-local paths (content-production/inbox/...), which is expected but may overwrite existing files without further safeguards.
Install Mechanism
The skill itself has no install spec (instruction-only), which is low-risk. But the README recommends installing Tavily via a remote install script (curl -fsSL https://cli.tavily.com/install.sh | bash). Installing third-party CLIs via curl|bash is a higher‑risk action and should be audited before execution. The skill does not ship or pin the Tavily binary and relies on whatever the remote installer provides.
Credentials
The skill requests no environment variables or credentials in the manifest, which is consistent with not embedding credentials. However, it depends on a logged-in Tavily CLI; Tavily will presumably access its own auth tokens/config locally (not declared here). Also, because 'source_file' can be absolute, an attacker or misconfigured input could point the skill at sensitive local files — this is a proportionality/design concern rather than explicit credential exfiltration in the skill itself.
Persistence & Privilege
The skill is not marked always:true and does not request elevated platform privileges. It writes outputs into repository-local directories and does not appear to modify other skills or global agent settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install topic-research - 安装完成后,直接呼叫该 Skill 的名称或使用
/topic-research触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of the `topic-research` skill for deep research on selected topics.
- Runs a second-hop investigation using Tavily CLI, following an initial scan or news collection.
- Normalizes reports into a local `research.md` contract, including a writing decision layer to guide content follow-up.
- Requires a markdown input with YAML fields (topic, question, model, etc.).
- Outputs structured research reports and saves raw source data for traceability.
- Ensures strict dependency handling and consistent output format.
元数据
常见问题
Topic Research 是什么?
Run a second-hop deep research pass through the Tavily CLI after an initial scan, then normalize the result into a local `research.md` contract. Use when Cod... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 96 次。
如何安装 Topic Research?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install topic-research」即可一键安装,无需额外配置。
Topic Research 是免费的吗?
是的,Topic Research 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Topic Research 支持哪些平台?
Topic Research 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Topic Research?
由 Abigale-cyber(@abigale-cyber)开发并维护,当前版本 v1.0.0。
推荐 Skills