feynman-lobster
v1.0.0你告诉我你在做什么项目,我读你的代码和笔记,在你需要时教你需要的知识。学习是做事的副产品。
⭐ 0· 109·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill's name and description say it will read the user's project code/notes and teach via a "learning contract". The shipped files (instructions, feynman_api.py, web UI, and scripts) implement exactly that behavior: reading local resources (only those the user supplies), maintaining contracts.json, USER_PROFILE.md, and per-contract summaries. There are no unrelated credentials, binaries, or surprising external dependencies requested.
Instruction Scope
SKILL.md and the instruction files explicitly instruct the agent to read local file paths supplied as contract resources (type: local) and to write structured state into workspace files (contracts.json, USER_PROFILE.md, contract-memory/*.md). That is appropriate for this skill, but it means the skill will read any file paths the user provides — including potentially sensitive files if the user points them there. The instructions claim reads are 'only read' and not to modify user project files; the code and scripts align with that.
Install Mechanism
There is no formal install specification (instruction-only from the registry), which is lower-risk. However the package includes helper scripts (setup.sh, start-panel.sh) and a Python API (feynman_api.py) that the README/setup recommend running; setup.sh may attempt to auto-start the web panel and open a browser. If the platform automatically executes provided setup scripts on install, those scripts will spawn background processes and a local HTTP server. That behavior is coherent with the UI features but is the primary operational side-effect to be aware of.
Credentials
The skill requests no environment variables or secrets. It optionally respects OPENCLAW_WORKSPACE to locate files, otherwise defaults to ~/.openclaw. The agent-card mentions a bearer scheme for A2A but the skill does not demand external tokens on install. No disproportionate credentials are requested.
Persistence & Privilege
always:false and normal autonomous invocation are set. The skill writes/updates workspace files (contracts.json, USER_PROFILE.md, contract-memory files) which is expected and documented. It can also start persistent local processes (a local API bridge and a static web server) if you run the provided scripts or if setup.sh is executed. This grants the skill ongoing local presence only if you run/allow those scripts.
Assessment
This skill is coherent with its stated purpose: it will read whatever local project paths you give it (code, notes) and will create/update files under your OpenClaw workspace (contracts.json, USER_PROFILE.md, contract-memory/*). Before installing or running setup.sh/start-panel.sh: 1) inspect feynman_api.py and the shell scripts so you are comfortable they only serve local files and bind to localhost; 2) only provide resource paths you consent to have the skill read (do not point it to directories containing secrets such as ~/.ssh, cloud credential files, or system configs); 3) if you prefer not to run background services, do not run setup.sh or start-panel.sh — you can still use the skill interactively without the web panel; 4) review the A2A/"find supervisor" flows and the agent-card if you plan to invite or accept external supervisors to understand what summary data is shared. If you want extra assurance, run the scripts manually in a constrained environment (non-privileged account or container) and verify the processes and ports (18790, 19380) before granting broader access.Like a lobster shell, security has layers — review code before you run it.
latestvk97eha5qa5gnxzfhx1rxkga7s1837cq3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.