ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

自然语言Skill生成器

v1.0.0

自然语言描述需求,AI自动生成可复用的Skill。用于:(1)根据需求创建新Skill (2)生成Skill结构 (3)批量生成Skill模板。触发词:创建skill、生成skill、做一个skill

0· 333·0 current·0 all-time
by@chongjie-ran
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to generate Skill skeletons and optionally publish them. The generator code (generate.py) is coherent for that purpose. However, the publish script performs network-facing actions (calls clawhub, gh, git) and writes into ~/.openclaw/workspace and memory paths. The package metadata declared no required binaries or credentials, so the external-publish capabilities are not reflected in the declared requirements.
Instruction Scope
SKILL.md instructs users to run the generator and describes an automatic publish flow (ClawHub, GitHub). The generate.py itself only constructs an LLM prompt and formats files (no direct network calls). publish.py runs subprocess commands to publish to ClawHub and GitHub and saves promotional text. Those steps are within the stated publish feature but will perform I/O and remote pushes when run.
Install Mechanism
There is no install spec (instruction-only), and files are provided as scripts. Risk comes from runtime use of subprocess to call external CLIs (clawhub, gh, git) rather than from an installer. No download-from-URL or archive extraction is present.
!
Credentials
requires.env and required binaries are empty, but publish.py implicitly requires: clawhub CLI, Git, GitHub CLI (gh) and valid GitHub/ClawHub authentication (tokens/config). The scripts write to the user's home (~/.openclaw/workspace and memory files). The credential/tools requirement is not declared, which is a proportionality mismatch and could surprise users.
Persistence & Privilege
always is false and the skill does not request platform-wide privileges. However, the publish script will create git repos, initialize .git in skill directories, push to remote, and write files under ~/.openclaw — persistent filesystem changes in the user's home. Those actions require user consent but are not gated by declared requirements.
What to consider before installing
This skill appears to implement a legitimate skill-generator and a publisher, but there is a mismatch between what it declares and what it does at runtime. Before installing or running: 1) Inspect the publish.py script (you already have it) and confirm you trust it to create repos and push code; 2) Be aware publish.py will call 'clawhub', 'git', and 'gh' CLIs and expects those to be installed and authenticated — it does not declare or request those credentials in metadata; 3) If you do not want automatic publishing, avoid running publish.py or run generate.py in demo mode (no network actions); 4) Run these scripts in a safe/test environment first (not on a production workspace) to see exactly what files are created under ~/.openclaw; 5) If you need a cleaner security posture, ask the author to declare required binaries and env vars (GH token or gh auth, clawhub CLI), and to make publishing explicitly opt-in rather than automatic. If you want me to, I can point to the exact lines that perform network/push actions and suggest minimal changes to make publishing safer (e.g., prompt before subprocess calls, require explicit env vars).

Like a lobster shell, security has layers — review code before you run it.

aivk979bd5ct1hcxf6m608tjfqbyx82vx4nautomationvk979bd5ct1hcxf6m608tjfqbyx82vx4nlatestvk979bd5ct1hcxf6m608tjfqbyx82vx4n
333downloads
0stars
1versions
Updated 6h ago
v1.0.0
MIT-0
@chongjie-ran
aiautomationlatest
Download

Skill生成器

将自然语言需求转换为标准Skill结构。

核心功能

  • 需求解析: 理解用户描述的功能需求
  • 结构生成: 自动生成Skill的name、description、body
  • 预览编辑: 生成后可预览和修改
  • 一键保存: 确认后保存到Skill库
  • 自动发布: 一键发布到ClawHub和GitHub

使用方法

基本用法

直接告诉SC你想要创建的Skill,例如:

  • "帮我创建一个查天气的skill"
  • "生成一个可以自动写代码注释的skill"
  • "做一个管理提醒事项的skill"
  • "创建一个skill:自动总结YouTube视频"

生成流程

  1. 描述需求: 用自然语言描述你想要的功能
  2. LLM解析: 系统分析需求,提取关键信息
  3. 生成结构: 自动生成Skill的name、description、body
  4. 预览确认: 展示生成的Skill供你预览
  5. 保存部署: 确认后保存到Skill库
  6. 发布分享: 可选 - 发布到ClawHub和GitHub

Skill结构说明

每个Skill包含:

字段说明示例
name英文名称(kebab-case)weather-query
description功能描述和触发场景"查询天气..."
triggers触发关键词列表["查天气", "weather"]
bodyMarkdown使用说明详细功能描述

发布流程(自动)

当Skill保存后,可以选择发布:

  1. 发布到ClawHub: clawhub publish <skill-name>
  2. 发布到GitHub: 自动创建仓库并推送
  3. 生成抖音宣传: 自动创建宣传文案

抖音宣传内容模板

发布后自动生成:

🎉 新Skill发布!
【Skill名称】
📦 下载: ClawHub/GitHub链接
💡 功能说明
📖 使用方法
#AI #OpenClaw #Skill名称

示例

用户输入:

"我需要一个查天气的skill"

生成的Skill:

---
name: weather-query
description: 查询全球城市天气和预报。使用场景:(1)了解当前天气 (2)查看未来预报 (3)比较不同城市天气
triggers: ["查天气", "天气怎么样", "weather"]
---

# Weather Query

## 功能
- 查询当前天气
- 查看3-7天预报
- 多城市对比

## 使用方式
直接告诉SC:"查北京天气"或"上海明天天气怎么样"

底层实现

如需直接调用生成器:

python ~/.openclaw/workspace/skills/skill-generator/scripts/generate.py "用户需求"

生成器会:

  1. 调用LLM解析需求
  2. 生成标准JSON结构
  3. 转换为SKILL.md格式
  4. 保存到 skills/ 目录
  5. 可选:发布到ClawHub和GitHub

Comments

Loading comments...