ClawHub

Skill Discovery

v2.2.1

基于用户意图发现并推荐 skill。分析用户输入,搜索匹配 skill,验证质量后推荐最佳匹配,由用户确认后安装。

0· 161·8 current·8 all-time
by@caocong1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description describe searching and recommending skills; the code implements searches via the official 'npx skills' CLI and an optional ClawHub API, sorts by installs/trusted owners, and exposes install/remove wrappers. Required binaries (npx, optional clawhub) and Node.js runtime are appropriate for this purpose.
Instruction Scope
Runtime instructions and code limit actions to: analyzing user input, calling 'npx skills' (find/list/add/remove), optionally calling the public ClawHub search API, building sanitized logs, and backing up/uninstalling installed skills. The skill documents and implements dry-run (recommendation) mode by default and does not perform automatic installs unless explicitly invoked with dryRun: false/explicit options.
Install Mechanism
No external binary downloads or obscure install URLs are used. The package is bundled (entrypoint index.js) and relies on existing CLIs (npx/clawhub) and Node.js. Source files are included; no extract-from-unknown-URL install steps are present.
Credentials
The skill requests no secrets and only uses optional environment variables (OPENCLAW_DIR, TRASH_DIR) to locate logs/backups; these are documented in SKILL.md. It does make outbound HTTPS requests to clawhub.ai (public search API) which is proportional to adding an alternate registry source.
Persistence & Privilege
The skill does not set always:true. It exposes an OpenClaw hook (onUserInput) which, when used, runs in dry-run mode by default. It writes logs and keeps uninstall backups under the user's OpenClaw directory (configurable). These behaviors are documented and proportional to its purpose.
Assessment
This skill appears internally consistent and implements a recommendation-first workflow (dry-run) by default. Before installing or enabling it as an automatic hook, consider: 1) it will run 'npx skills' commands and may call the public ClawHub API (clawhub.ai) — ensure outbound network access to that host is acceptable; 2) it writes sanitized logs to $OPENCLAW_DIR/logs/skill-discovery-v3.json and stores uninstall backups in a .trash directory under the configured path (defaults to your home .openclaw) — verify the log/backup locations and retention meet your privacy/storage needs; 3) automatic installation only occurs if explicitly invoked with dryRun: false or explicit CLI flags — review the install command before consenting to install any discovered skill; 4) the code uses child_process.exec but implements shell escaping for user inputs; if you have strict security requirements, inspect the sanitize() implementation and the trustedOwners list to confirm they match your policy. Overall, nothing in the package requests unexplained credentials or hidden endpoints.

Like a lobster shell, security has layers — review code before you run it.

latestvk9795vcddxwtykg8mtrtddtzj583y53f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnpx
Any binclawhub

Comments