技能路由枢纽
PassAudited by VirusTotal on May 2, 2026.
Overview
Type: OpenClaw Skill Name: skill-router-xiaoz Version: 1.0.0 The skill bundle implements a 'Skill Router' designed to optimize agent performance by categorizing skills into scene-based buckets and selecting the most relevant ones. The logic in `router.py` is transparent, focusing on keyword matching and maintaining a local routing log (`routing_log.jsonl`) for basic reinforcement learning. No indicators of malicious intent, data exfiltration, or unauthorized execution were identified.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The router may suppress skills that would otherwise be relevant, or route a task toward skills that perform high-impact actions if downstream skills are allowed to act.
The skill intentionally influences which other skills the agent should use or ignore. That is its stated purpose, but it affects tool/skill selection across tasks.
每次只激活相关桶内的Top3技能,其他技能静默。
Treat the selected skill list as guidance, not approval. Require normal user confirmation for posting, deployment, file mutation, or account-changing actions performed by downstream skills.
Sensitive details typed into task prompts could be retained locally in routing_log.jsonl and reused for future routing decisions.
Each routed task stores the first 100 characters of the user query in a persistent JSONL log for later routing history.
"query": query[:100], ... with open(ROUTING_LOG, "a") as f:
Avoid putting secrets in task descriptions, and consider adding a clear retention/deletion option for the routing log.
Users may overestimate how much the router actually learns from failures.
The documentation claims failed skills are automatically downranked, but the reviewed code mainly logs routes; mark_outcome does not update outcomes, and get_top_skills looks for a skill_id field that log_routing does not write.
失败的技能自动降权
Verify routing results manually until the learning/downranking implementation is corrected and documented.
Users have less external context for trusting the publisher or comparing the package to an upstream project.
The registry metadata does not provide an upstream source or homepage for provenance verification, although the small local source file is included for review.
Source: unknown; Homepage: none
Install only if you trust the publisher or have reviewed the included SKILL.md and router.py source.