← 返回 Skills 市场
Yummy Shared
作者
yummysource
· GitHub ↗
· v1.1.0
· MIT-0
131
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install yummy-shared
功能描述
Use when operating yummycli for the first time, checking Gemini credential status, handling yummycli JSON command output, or applying shared CLI safety rules...
安全使用建议
This skill appears to do what it claims (help run yummycli and check Gemini auth) but has several things to verify before trusting it: 1) The SKILL.md asks to install @yummysource/yummycli from npm—confirm that package and publisher are legitimate (check npm page, GitHub source, and owner identity) before allowing installs. 2) The skill is marked always: true; ask whether you need it active for every agent run — if not, disable always so it only runs when explicitly invoked. 3) Avoid embedding API keys on the command line (the docs show --api-key "<api-key>") because that can leak secrets; prefer configuring GEMINI_API_KEY in the environment or using the CLI's secure config. 4) Because there's no homepage or source listed, exercise extra caution: if you can't verify the npm package or the owner, do not install, or sandbox the install. If you decide to proceed, set GEMINI_API_KEY only when needed and monitor for unexpected network activity or unexpected modifications to system binaries.
功能分析
Type: OpenClaw Skill
Name: yummy-shared
Version: 1.1.0
The skill bundle provides standard operational instructions and safety rules for an AI agent to interact with the 'yummycli' tool for Gemini-based image and video generation. The SKILL.md file defines legitimate authentication procedures, output parsing logic, and safety constraints without any evidence of malicious intent, data exfiltration, or harmful prompt injection.
能力标签
能力评估
Purpose & Capability
Name, description, required binary (yummycli), and required env (GEMINI_API_KEY) match the stated purpose of managing yummycli/Gemini usage. However, there's an inconsistency: the registry metadata said 'no install spec / instruction-only', yet the SKILL.md includes an 'install' entry that installs an npm package (@yummysource/yummycli). The presence of an npm install in SKILL.md is plausible for providing the yumycli binary but contradicts the earlier metadata.
Instruction Scope
Runtime instructions are narrowly scoped to checking auth status, initializing Gemini, parsing yummycli JSON stdout, and enforcing simple safety rules (use local user-provided files, preserve flag order, report output). No instructions ask to read other system files. Warning: the docs show passing an API key directly on the command line (yummycli gemini init --api-key "<api-key>") which risks exposing secrets via process lists or shell history; the SKILL.md also declares GEMINI_API_KEY as the primary credential, so prefer using the environment variable rather than embedding keys in CLI args.
Install Mechanism
SKILL.md specifies installing a Node package (@yummysource/yummycli) which is a moderate-risk install mechanism (public npm). The registry metadata elsewhere indicated 'no install spec', making this contradictory. There is no homepage/source url given in the registry to verify the package or author; that reduces the ability to audit the install. If you plan to allow the skill to install software, verify the npm package identity and trust the publisher.
Credentials
The only required environment variable is GEMINI_API_KEY, which is proportional for a skill that manages Gemini-based image generation. No unrelated credentials are requested. Note the combination of a required credential plus the CLI-pattern shown (embedding keys) increases the chance of accidental secret leakage if users copy/paste commands.
Persistence & Privilege
The skill is marked always: true, meaning it will be force-included in every agent run. That is a significant privilege for a helper that merely enforces CLI safety rules; always: true is not clearly justified. Combined with autonomous invocation and access to GEMINI_API_KEY, this raises the blast radius if the skill or its installable package is compromised. Consider removing always: true or require explicit invocation.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install yummy-shared - 安装完成后,直接呼叫该 Skill 的名称或使用
/yummy-shared触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
- Expanded output contract documentation to include both image and video JSON response examples.
- Clarified that all `yummycli` generation commands return JSON on stdout, not just image commands.
v1.0.0
yummy-shared 1.0.0
- Initial release of shared operating rules for the yummycli command-line tool.
- Provides setup instructions for Gemini provider authentication.
- Describes JSON output contract for yummycli image commands.
- Details shared CLI safety requirements for image generation and editing.
- Lists requirements for usage, including the GEMINI_API_KEY environment variable and yummycli binary.
元数据
常见问题
Yummy Shared 是什么?
Use when operating yummycli for the first time, checking Gemini credential status, handling yummycli JSON command output, or applying shared CLI safety rules... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 131 次。
如何安装 Yummy Shared?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install yummy-shared」即可一键安装,无需额外配置。
Yummy Shared 是免费的吗?
是的,Yummy Shared 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Yummy Shared 支持哪些平台?
Yummy Shared 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Yummy Shared?
由 yummysource(@yummysource)开发并维护,当前版本 v1.1.0。
推荐 Skills