← 返回 Skills 市场
Universal Skills Manager
作者
Jacob Ben-David
· GitHub ↗
· v1.7.0
1615
总下载
0
收藏
5
当前安装
8
版本数
在 OpenClaw 中安装
/install universal-skills-manager
功能描述
The master coordinator for AI skills. Discovers skills from multiple sources (SkillsMP.com, SkillHub, and ClawHub), manages installation, and synchronization...
安全使用建议
This skill appears to implement a legitimate universal skills manager, but there are several red flags you should consider before installing or giving credentials:
- Inconsistencies: The registry metadata does not declare the SKILLSMP_API_KEY or required binaries, yet SKILL.md and config.json do. Ask the publisher to reconcile metadata and frontmatter so you know exactly what will be requested.
- Review code before running: The package includes installer and downloader scripts that will fetch and write arbitrary files into many ~/.tool/ and project directories. Inspect scripts/install_skill.py and scripts/scan_skill.py yourself or run them in a sandboxed VM/container first.
- Never pipe unknown remote scripts to sh: The SKILL.md recommends curl | sh as a convenience — avoid this. If you must run an installer from the project, fetch it, inspect it locally, then run it.
- Limit credentials: Only provide SKILLSMP_API_KEY or GitHub tokens if you trust the publisher and understand scope; consider creating scoped or temporary tokens with minimal privileges.
- Test safely: If you want to try the skill, do so on a disposable account or isolated environment (container or VM) and verify exactly which paths it modifies.
If the publisher can (1) update registry metadata to declare required env vars and binaries, (2) remove or document the curl|sh shortcut, and (3) publish a verifiable homepage/release with checksums, the risk profile would be clearer and easier to evaluate.
功能分析
Type: OpenClaw Skill
Name: universal-skills-manager
Version: 1.7.0
The 'universal-skills-manager' bundle is a comprehensive tool for discovering, installing, and synchronizing AI agent skills across multiple platforms. It possesses high-risk capabilities, specifically the ability to download and execute remote scripts from GitHub and ClawHub, and perform broad file system operations across various AI tool directories (e.g., ~/.claude, ~/.gemini). While it includes a dedicated security scanner (scripts/scan_skill.py) and validation logic to mitigate risks, the inherent potential for remote code execution (RCE) and the inclusion of 'curl | sh' installation instructions in SKILL.md for external tools warrant a suspicious classification despite the behavior being aligned with the stated purpose.
能力评估
Purpose & Capability
The skill's name, description, and included scripts are consistent with a universal skill manager that discovers, downloads, and installs skills across multiple tools. However, metadata in the registry declares no required env vars/binaries while the SKILL.md frontmatter and included config.json advertise SKILLSMP_API_KEY and require python3/curl/network access — a clear mismatch between what the registry says and what the skill actually needs.
Instruction Scope
The runtime instructions and scripts explicitly require outbound network access to multiple third-party endpoints and write into many user-level and project-level tool directories (e.g., ~/.claude/, ~/.gemini/, ~/.openclaw/, etc.). The SKILL.md also suggests running a remote install command piped to sh (curl ... | sh), which is a high-risk operation. The instructions potentially permit installing arbitrary code into many locations on the user's filesystem — behavior that is powerful but also dangerous if the source is untrusted.
Install Mechanism
There is no formal install spec (instruction-only), yet three substantial scripts are included. The installer downloads files from GitHub raw URLs (raw.githubusercontent.com) — a normal choice — but the README/workaround recommending a curl | sh installer is risky. The download sources (GitHub and well-known domains) are expected, but the inclusion of an ad-hoc remote shell-pipe install step is disproportionate to safe installation practice.
Credentials
SKILL.md/frontmatter and config.json reference a SKILLSMP_API_KEY and the install script accepts an optional GitHub token; the registry metadata, however, lists no required env vars. Requesting an API key for SkillsMP (and optionally a GitHub token) is reasonable for searching private/curated sources, but the mismatch between declared and actual required credentials is a red flag. The skill would gain access to any credentials the user supplies and may use them to fetch private repositories.
Persistence & Privilege
The skill is not marked always:true and the registry shows normal autonomous invocation defaults. It is designed to modify multiple per-user and per-project skill directories (its core function) which is coherent with purpose. There is a metadata mismatch: SKILL.md sets disable-model-invocation to true in its frontmatter while registry flags show default false — this inconsistency should be resolved prior to installation.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install universal-skills-manager - 安装完成后,直接呼叫该 Skill 的名称或使用
/universal-skills-manager触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.7.0
Universal Skills Manager 1.7.0
- Added support and instructions for packaging skills as ZIPs for ChatGPT's new Skills platform, alongside claude.ai and Claude Desktop.
- Expanded documentation to clarify compatibility, admin settings, and limitations for ChatGPT Skills (beta), including workspace activation requirements.
- Added 4 new scripts: configuration file, install script, skill scanner, and skill frontmatter validator for enhanced skill management and validation workflows.
- Updated safety and instruction notices related to cloud platforms, including improved error and incompatibility messaging for network-restricted environments.
- Clarified and unified installation and packaging workflows across supported cloud and local tools.
v1.6.0
# Universal Skills Manager 1.6.0 Changelog
- Updated metadata in SKILL.md for improved compatibility and requirements clarity.
- Clarified network access requirements and platform-specific instructions.
- Removed config.json, install_skill.py, and scan_skill.py—installation and scanning logic is now documented, not bundled.
- Added detailed workaround and bug advisories for Claude Desktop and claude.ai compatibility.
- Streamlined documentation and removed deprecated script dependencies.
v1.5.5
Universal Skills Manager v1.5.5
- Updated documentation to clarify that SkillHub and ClawHub search work without an API key; embedding a key when packaging for claude.ai/Desktop is now optional, with added safety guidance.
- Removed outdated stats from SkillHub and ClawHub descriptions for accuracy.
- Revised packaging instructions for claude.ai/Desktop to emphasize credential safety and updated behavior regarding API key use in ZIPs.
- Minor editorial and formatting improvements for better clarity and consistency.
v1.5.3
No file changes detected in this version.
- Version bump only; no code or documentation changes present.
- All features and behavior remain the same as the previous release.
v1.5.1
Fix disable-model-invocation placement: moved from nested metadata.clawdbot to top-level frontmatter field so ClawHub registry correctly reads it.
v1.5.0
Close all 20 security findings: homoglyph transliteration (M2), quadratic perf fix, install_skill.py integration fix, O_NOFOLLOW Windows portability, 65 tests, SECURITY.md, full CHANGELOG. Credit: @ben-alkov for security analysis and hardening.
v1.4.1
Address ClawHub security review: declare runtime requirements (python3, curl), primary env var (SKILLSMP_API_KEY), disable autonomous model invocation, add API key handling security note, remove save_memory reference
v1.4.0
Universal Skills Manager v1.4.0
- Initial release of a centralized skill/package manager for AI tools and environments.
- Supports discovery and installation of skills from SkillsMP.com, SkillHub, and ClawHub across platforms like Claude Code, Gemini CLI, Google Anti-Gravity, OpenCode, and more.
- Manages skills at both User (Global) and Project (Local) scopes.
- Provides search, installation, packaging (ZIP for claude.ai/Claude Desktop), and synchronization features.
- Handles platform/network limitations for claude.ai and Claude Desktop, with clear user instructions.
- Includes an installation script with validation, update detection, and security scans.
元数据
常见问题
Universal Skills Manager 是什么?
The master coordinator for AI skills. Discovers skills from multiple sources (SkillsMP.com, SkillHub, and ClawHub), manages installation, and synchronization... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1615 次。
如何安装 Universal Skills Manager?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install universal-skills-manager」即可一键安装,无需额外配置。
Universal Skills Manager 是免费的吗?
是的,Universal Skills Manager 完全免费(开源免费),可自由下载、安装和使用。
Universal Skills Manager 支持哪些平台?
Universal Skills Manager 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Universal Skills Manager?
由 Jacob Ben-David(@jacob-bd)开发并维护,当前版本 v1.7.0。
推荐 Skills