← 返回 Skills 市场
Version Drift Publish
作者
rtaylorgraham
· GitHub ↗
· v1.2.1
· MIT-0
274
总下载
0
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install version-drift
功能描述
One command to check if your entire stack is up to date. SSHes into servers, queries APIs, and compares installed versions against latest — across every serv...
安全使用建议
This skill is coherent with its stated purpose, but it is powerful: it will run arbitrary shell commands locally and over SSH and will issue HTTP requests to any URL you configure. Before you install or run it: (1) review config.yaml carefully — any command in 'installed' will be executed; (2) keep secrets minimal and put them in environment variables with least-privilege tokens (the script will expand and use any ${VAR} you reference); (3) prefer a non-root SSH user with read-only permissions where possible; (4) be aware it writes a state file (state.json) in the working directory; (5) consider running first in a sandbox or CI runner with limited credentials; (6) if you need stronger SSH host verification, explicitly set strict_host_key in your config instead of using the default accept-new. If you want further checks, provide the full drift.py for deeper code review (the supplied snippet is large but truncated in places).
功能分析
Type: OpenClaw Skill
Name: version-drift
Version: 1.2.1
The bundle provides a version-tracking utility that utilizes high-risk primitives, specifically arbitrary local shell execution via 'sh -c' and remote execution via SSH in drift.py. While these capabilities are aligned with the tool's stated purpose of checking software versions across a stack, the script lacks input sanitization for commands defined in config.yaml, creating a direct path for Remote Code Execution (RCE). No evidence of intentional malice, data exfiltration, or hardcoded backdoors was found, but the broad execution surface on both the local host and remote servers justifies a suspicious classification.
能力评估
Purpose & Capability
The name/description say it will SSH, call HTTP APIs, and run local commands to discover versions; the included config examples and drift.py implement exactly that. No unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md and drift.py permit executing arbitrary shell commands on local and remote hosts, fetching arbitrary HTTP endpoints, and saving state to a local file. That is necessary for the stated goal, but it gives the script high power — any command you place in config.yaml will be executed.
Install Mechanism
There is no install spec and no remote downloads; this is an instruction-only skill with an included Python script. It optionally uses pyyaml if installed but falls back to JSON. No high-risk installers or external archives are pulled.
Credentials
The skill declares no required env vars but reads environment variables at runtime (expand_env, and optional GITHUB_TOKEN for GitHub API rate limits). config.example.yaml shows placeholders like ${HA_TOKEN} and ${API_KEY}. The skill will expand and use any env var referenced in your config, so it can access secrets you place into environment variables even though none are listed in the metadata.
Persistence & Privilege
Not always-included and not auto-installed. The tool writes a local state file (default state.json) to track drift and uses SSH with StrictHostKeyChecking=accept-new by default (trust-on-first-use). Both behaviors are normal for this tool but worth noting for operational security.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install version-drift - 安装完成后,直接呼叫该 Skill 的名称或使用
/version-drift触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.2.1
SSH host key checking now defaults to accept-new (trust-on-first-use) instead of no. Configurable per-host via strict_host_key setting. Addresses VirusTotal MITM warning.
v1.2.0
New --changes flag: see actual release notes between your installed version and latest. Fetches GitHub releases for GitHub, npm, and PyPI sources. Includes drift descriptions showing major/minor/patch breakdown.
v1.1.0
Security hardening: removed shell=True, SSL verification on by default (configurable per-host), replaced raw IPs with .local hostnames in examples, added Security section to SKILL.md
v1.0.0
Initial release: SSH/HTTP/local version checks, GitHub/npm/PyPI/Docker Hub/custom HTTP sources, state tracking, table/JSON/markdown output.
元数据
常见问题
Version Drift Publish 是什么?
One command to check if your entire stack is up to date. SSHes into servers, queries APIs, and compares installed versions against latest — across every serv... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 274 次。
如何安装 Version Drift Publish?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install version-drift」即可一键安装,无需额外配置。
Version Drift Publish 是免费的吗?
是的,Version Drift Publish 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Version Drift Publish 支持哪些平台?
Version Drift Publish 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Version Drift Publish?
由 rtaylorgraham(@rtaylorgraham)开发并维护,当前版本 v1.2.1。
推荐 Skills