🗺️ Skill Atlas (技能图谱)

What to check before installing: - Metadata/packaging: the registry metadata is inconsistent (Required env vars shows "[object Object]" and the registry claims no install spec while SKILL.md contains one). Treat the package metadata as unreliable until corrected. - Vetter dependency: the tool repeatedly runs WORKSPACE/scripts/skill-vetter.py (expected to come from agent-memory). Inspect that vetter script's source before installing — it runs automatically during installs/updates and thus has high influence over what gets allowed. - Write scope: skill-atlas is allowed to write skills/*/config/scenes.json (other skills' config). If you want stricter isolation, restrict that permission or back up scenes.json and other config before enabling the skill. - External actions: skill-atlas invokes 'clawhub' and PowerShell to search/install/update remote skills. Those remote installs will fetch code from network — ensure you trust the clawhub sources and review the vetter output for each install. - Command construction: the scripts build and run PowerShell strings (e.g., clawhub install <slug>) without sanitizing inputs; avoid passing untrusted slugs and review any interactive confirmations. - Practical steps: (1) Inspect WORKSPACE/scripts/skill-vetter.py and any agent-memory artifacts before enabling this skill. (2) Correct/confirm OPENCLAW_WORKSPACE value and back up WORKSPACE/skills/*/config/scenes.json. (3) If uncertain, run the scripts in a sandboxed environment or inspect outputs of vet steps before allowing installs/updates. Overall: the functionality is plausible for a skill manager, but the metadata issues, implicit reliance on an external vetter, and broad write permission justify caution — review the vetter and configs before enabling automatic operations.