← 返回 Skills 市场
uStack
作者
aggie-security
· GitHub ↗
· v0.1.0
· MIT-0
76
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install ustack
功能描述
Universal agent workspace compatibility and update engine. Track upstream agent frameworks (like gstack), analyze every change, classify portability, and gen...
安全使用建议
uStack appears coherent: it clones/pulls Git repos and analyzes their contents, writes artifacts to .ustack/, and generates Markdown pages. Before installing or running: 1) be aware it requires Node >=20 and git (run in an environment with those installed); the registry metadata did not list these—that's an inconsistency. 2) Only import repositories you trust or run ustack in an isolated directory/container, since it will clone arbitrary repos and write files locally. 3) Review the generated .ustack content and manifests before using any adapted output in production. 4) Note there are minor code/quality issues (e.g., a missing fs import in one extractor) — these look like bugs, not malicious behavior. If you need stronger guarantees, run it in a sandboxed environment or inspect the cloned repo contents before further automated processing.
功能分析
Type: OpenClaw Skill
Name: ustack
Version: 0.1.0
The ustack skill bundle provides a framework for tracking and analyzing external agent repositories but contains several critical shell injection vulnerabilities. Specifically, `src/lib/git.js` uses `execSync` to execute git commands (log, diff, show) with unsanitized variables such as commit SHAs and file paths. While these capabilities are consistent with the tool's stated purpose, the lack of input validation allows for potential arbitrary command execution if the underlying git metadata or user-supplied identifiers are manipulated. Additionally, the tool performs file system operations and clones external repositories (e.g., from github.com/garrytan/gstack) into a local `.ustack` directory without sufficient sanitization of the source content.
能力评估
Purpose & Capability
The skill claims to import, diff/analyze, and publish updates from upstream agent repos and the code implements exactly that: git clone/pull, git diff/log, file inspection, IR extraction, and markdown generation. One mismatch: the package/README/SKILL.md document Node.js >=20 and Git as requirements, but the registry metadata lists no required binaries—so the metadata underreports required runtime tools.
Instruction Scope
Runtime instructions and code operate on user-provided Git repository URLs: cloning/pulling repos and reading/writing files under a local .ustack workspace. The tool runs git via child_process and reads many repository files to build reports. It does not request secrets or call external services beyond git network access to the supplied repo URL, nor does it execute arbitrary repo scripts. Because it clones arbitrary repos, run it in an isolated directory/container when importing untrusted repositories.
Install Mechanism
There is no install spec (instruction-only/install-from-source), package.json contains no external dependencies, and files are not fetched from unknown remote archives. The code expects Node.js and Git (package.json engines and SKILL.md), which is a conventional, low-risk setup. No remote install URL or extracted archives were found.
Credentials
No environment variables, credentials, or config paths are required. The code emits metadata that references service auth types (e.g., 'bearer-token') as IR metadata only; it does not ask for or store secrets. Requested environment access is proportional to the declared functionality.
Persistence & Privilege
always is false and the skill operates only within a .ustack directory under the current working directory. It writes manifests, snapshots, and run artifacts there but does not modify other skills or global agent settings. Autonomous invocation is allowed by default (disable-model-invocation: false) but this is the platform default and not combined with other red flags.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install ustack - 安装完成后,直接呼叫该 Skill 的名称或使用
/ustack触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Phase 1: upstream watcher, analyzer, publisher pipeline. Track gstack and other agent frameworks, analyze changes, classify portability, generate website-ready update pages.
元数据
常见问题
uStack 是什么?
Universal agent workspace compatibility and update engine. Track upstream agent frameworks (like gstack), analyze every change, classify portability, and gen... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 76 次。
如何安装 uStack?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install ustack」即可一键安装,无需额外配置。
uStack 是免费的吗?
是的,uStack 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
uStack 支持哪些平台?
uStack 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 uStack?
由 aggie-security(@aggie-security)开发并维护,当前版本 v0.1.0。
推荐 Skills