← 返回 Skills 市场
Understand-Anything
作者
Yuxiang Lin
· GitHub ↗
· v1.1.0
· MIT-0
216
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install understand
功能描述
Analyze a codebase to produce an interactive knowledge graph for understanding architecture, components, and relationships
安全使用建议
This skill will read many project files, create temporary scripts in /tmp, and execute them (Node.js is assumed) while sending extracted file contents into dispatched subagents. Before installing: (1) Confirm the runtime has git and node (or request the author to declare required binaries). (2) Ask the author to fix the contradictory exclusion rules (the scanner claims to exclude *.json/*.md but then reads package.json and README.md). (3) Verify whether subagent prompts are sent to external model(s); if so, do not allow sensitive files (configs, env files, secrets) to be included — request an option to redact or exclude paths. (4) Prefer running this tool in a sandbox or on a copy of the repo with secrets removed. (5) If you only want limited analysis, use the documented --full/dir argument to scope to a safe subdirectory. (6) Inspect .understand-anything and /tmp outputs after a run and remove them if you don't want persistent artifacts. If you need help formulating questions for the skill author (required binaries, data exfil rules, ability to run offline), I can draft those.
功能分析
Type: OpenClaw Skill
Name: understand
Version: 1.1.0
The 'understand' skill bundle implements a multi-phase codebase analysis pipeline that relies on generating and executing dynamic scripts (Node.js, Python, or Bash) to perform file discovery, structural analysis, and graph validation. While these capabilities are aligned with the stated purpose of architectural mapping, the pattern of writing and executing generated code from an AI agent represents a significant attack surface. Specifically, Phase 0 and Phase 1 ingest external project data (README.md and manifests) into subagent prompts, which could facilitate prompt-injection attacks if the analyzed codebase is malicious. No evidence of intentional data exfiltration or persistence was found in files like SKILL.md or the various prompt templates.
能力评估
Purpose & Capability
The skill claims to analyze a codebase but its instructions repeatedly assume availability of command-line tools (git, node, find, wc, mkdir) and the ability to write/execute temporary Node.js scripts. The registry metadata declares no required binaries or env vars — that mismatch is incoherent. Legitimately, a local code analyzer would need git and a runtime (node/python) declared explicitly.
Instruction Scope
SKILL.md instructs reading many repository files (README, manifests, all source files), composing those contents into subagent prompts, and writing intermediate files under .understand-anything and /tmp. The Project Scanner prompt also contains a direct contradiction: it lists an exclusion filter that would drop *.json and README.md, but elsewhere the pipeline explicitly reads package.json, tsconfig.json, and README.md. Subagents receive file contents (README, manifest, file batches) which will be included in prompts — this effectively transmits repo content to whatever model/subagent endpoint is used.
Install Mechanism
There is no install spec (instruction-only), which usually lowers risk. However, the runtime instructions require creating and executing ad-hoc scripts (Node.js) in /tmp and running shell commands. That means code will be written and run at analysis time even though nothing is installed up-front; this dynamic execution increases risk compared with a pure read-only inspector.
Credentials
The skill declares no environment variables or credentials, which is good, but it will read repository files (including manifests and potentially config files) and inject their contents into subagent prompts. That can leak sensitive data contained in the repository (API keys, DB connection strings in config files). The prompts do not limit which files are sent and the exclusion rules are inconsistent, so sensitive files could be included unintentionally.
Persistence & Privilege
The skill does not request 'always: true' and will write output under the project directory (.understand-anything/) and temp files under /tmp. That level of persistence is typical for analysis tools and is proportionate, but be aware it creates on-disk artifacts and executes temporary scripts. Autonomous invocation is enabled by default (not flagged by itself) — combined with the other concerns that increases blast radius.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install understand - 安装完成后,直接呼叫该 Skill 的名称或使用
/understand触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
understand 1.1.0
- Adds support for incremental codebase analysis using git commit hash tracking.
- Introduces full vs. incremental analysis modes with logic for efficient graph rebuilding on code changes.
- Gathers project context (README, manifest, directory tree, entry point) for more accurate analysis.
- Batches file analysis for improved performance and supports concurrent subagent dispatching.
- Enhances architecture inference with layer hints from directory and framework heuristics.
- Outputs an interactive knowledge graph for exploring project structure and relationships.
元数据
常见问题
Understand-Anything 是什么?
Analyze a codebase to produce an interactive knowledge graph for understanding architecture, components, and relationships. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 216 次。
如何安装 Understand-Anything?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install understand」即可一键安装,无需额外配置。
Understand-Anything 是免费的吗?
是的,Understand-Anything 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Understand-Anything 支持哪些平台?
Understand-Anything 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Understand-Anything?
由 Yuxiang Lin(@lum1104)开发并维护,当前版本 v1.1.0。
推荐 Skills