Automatic Skill

v1.4.1

每日 Skill 自动工厂 — 让 openclaw 和 Claude 完全自主地调研、设计、生成、测试并发布全新 skill，全程零人工介入。内置 10 阶段流水线（Research → Design → SEO → Create → Review → Self-Run → Self-Check → Uploa...

⭐ 0· 159·0 current·0 all-time

byCosmos Fang@cosmofang

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for cosmofang/automatic-skill.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Automatic Skill" (cosmofang/automatic-skill) from ClawHub.
Skill page: https://clawhub.ai/cosmofang/automatic-skill
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: GITHUB_TOKEN, GITHUB_REPO, CLAWHUB_TOKEN
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install automatic-skill

ClawHub CLI

Package manager switcher

npx clawhub@latest install automatic-skill

Security Scan

Capability signals

Requires OAuth token

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Suspicious

View report →

OpenClaw

Benign

medium confidence

✓

Purpose & Capability

The skill claims to generate, test, and publish OpenClaw skills. It requires gh, git, and clawhub CLIs and GITHUB_TOKEN, GITHUB_REPO, and CLAWHUB_TOKEN for publishing; those are appropriate and expected for creating repositories, committing, pushing, and publishing to clawHub. Optional env vars (SKILL_OUTPUT_DIR, CLAWHUB_OWNER_ID, OPENCLAW_NOTIFY_CHANNEL) match described functionality. No unrelated credentials or binaries are requested.

ℹ

Instruction Scope

Most scripts are prompt generators (they print prompts for the agent) and operate on local files (data/, SKILL_OUTPUT_DIR, generated skill dirs). The pipeline explicitly separates credential-free stages (1–7) from upload stages that use your tokens. The pre-upload safety gate (scan-check) looks for token-exposure patterns. Caveats: some upload-related scripts (upload.js, verify-upload.js) were present but not shown in the truncated listing — I cannot confirm from the provided excerpt that they only invoke the gh/clawhub CLIs rather than making direct network calls. Also package.json includes a scan-fix script (scan-fix.js) which may modify files; the SKILL.md states the safety check is a blocking quality gate (no auto-fix), so you should inspect scan-fix.js to understand whether it will edit generated files automatically.

✓

Install Mechanism

There is no installer/remote download; the skill is instruction/script-based with local Node.js scripts. No external URLs or archive downloads are used during install. That keeps install risk low (the code is contained in the skill bundle), but you should still inspect included scripts before running, since they will write files and may execute commands on your machine.

ℹ

Credentials

The skill requires two credentials to perform publishing: a GitHub token (GITHUB_TOKEN) and a clawHub token (CLAWHUB_TOKEN), plus GITHUB_REPO to identify the target repo. These are proportional to the described publish capability. Important: the skill will use these tokens to create repos, push commits, and publish under your account — ensure tokens are least-privilege (fine-grained PAT scoped only to the intended repo or operations) and that you trust the code. The SKILL.md advises minimal scopes and storing tokens in shell env; still, review upload and verify scripts before giving tokens. No other unrelated secrets are requested.

ℹ

Persistence & Privilege

The skill writes generated skills to SKILL_OUTPUT_DIR and can register an automated cron task via openclaw cron when push-toggle is enabled. It does not request always: true and will not be force-included in every run. Registering a daily cron job and automatic publishing are powerful actions — expected for this meta-skill, but they increase blast radius if misused. The pipeline includes a safety check that blocks uploads if credential-exposure patterns are found, which mitigates some risk. Verify whether any scripts modify system-wide settings beyond adding/removing an openclaw cron job.

Assessment

Plain-language checklist before installing or enabling this skill: - Audit the upload/verify scripts first: open scripts/upload.js and scripts/verify-upload.js and confirm they only call the gh and clawhub CLIs (via child_process.exec/spawn) and do not contain hardcoded endpoints or direct HTTP requests that might exfiltrate data. - Keep tokens minimal: create a GitHub PAT with the smallest possible scopes (ideally repository-scoped or a fine-grained token limited to a single repo) and a clawHub token limited to your account. Do not reuse high-privilege tokens. - Use dry-run first: run node scripts/pipeline.js --dry-run to exercise stages 1–7; this avoids any network/publish steps. - Inspect scan-fix.js: determine whether it auto-modifies generated files. The pipeline says the safety check is a blocking gate, but the presence of an auto-fix script could cause unexpected edits—only allow auto-fixes if you reviewed them. - Control scheduling: do not enable daily cron (node scripts/push-toggle.js on) until you trust the pipeline output. If you enable it, ensure openclaw cron entries are visible and removable; test push-toggle off/status flows. - Review generated files before upload: after a run, examine the generated skill folder(s) in SKILL_OUTPUT_DIR for secrets, unexpected network code, or placeholders before running the upload stage. - Back up and isolate: consider running the pipeline in a disposable/local workspace (set SKILL_OUTPUT_DIR to a non-critical path) and try publishing to a test repository/account first. If you want, I can scan the omitted scripts (upload.js, verify-upload.js, scan-fix.js, and any others not displayed) for direct network calls or hardcoded tokens and re-evaluate confidence.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Environment variables

GITHUB_TOKENrequired— GitHub personal access token — must have 'repo' scope. Scoped to your own repos only. Used by gh CLI to create repos and push commits.

GITHUB_REPOrequired— Target monorepo in owner/repo format, e.g. yourname/openclaw-skills. Must be a repo you own.

CLAWHUB_TOKENrequired— ClawHub API token. Used only to publish skills under your own clawHub account.

CLAWHUB_OWNER_IDoptional— Your clawHub ownerId. If omitted, defaults to the account associated with CLAWHUB_TOKEN.

SKILL_OUTPUT_DIRoptional— Where generated skills are written. Defaults to ~/.openclaw/workspace/skills.

OPENCLAW_NOTIFY_CHANNELoptional— Notification channel for pipeline failure alerts (e.g. slack://...).

latestvk97bts66p08g39e8845jdeaxad84gwfe

159downloads

0stars

18versions

Updated 2w ago

v1.4.1

MIT-0

Automatic Skill — 每日 Skill 自动工厂

每天凌晨自动调研 → 设计 → 制作 → 审核 → 自测 → 发布 → 复查，全程无需人工介入（发布阶段使用你自己的 GitHub/clawHub 凭证）

⚠️ Credentials

Stages 1–7 use zero credentials. Only Stage 8 (Upload) and beyond touch your accounts.

Stage	Action	Credential	What gets written
1–7	Research, Design, SEO, Create, Review, Self-Run, Self-Check	None	Local files only
8a	`gh repo create <owner>/<slug> --public`	`GITHUB_TOKEN`	New public repo on your GitHub account
8b	`git push` to `GITHUB_REPO`	`GITHUB_TOKEN`	New commits to the monorepo you set
8c	`clawhub publish`	`CLAWHUB_TOKEN`	Skill listed publicly under your clawHub account
9–10	Verify, Final Review	`GITHUB_TOKEN` (read-only `gh api`)	Nothing — read-only checks
Cron	Daily auto-run (`push-toggle on`)	None	Registers a local cron job via `openclaw cron`

Does NOT:

Read, transmit, or log credentials
Access repos or accounts other than the ones you configure
Execute network operations from scripts — all network actions go through gh CLI and clawhub CLI under your control
Run Stage 8 in --dry-run mode (safe for testing entire pipeline without publishing)

Minimum token scopes:

GITHUB_TOKEN: fine-grained PAT → single repo → Contents: Read & write only
CLAWHUB_TOKEN: keep in shell env (~/.zshrc), never commit to any file

Purpose & Capability

automatic-skill 是一个元技能（meta-skill），它的能力是制造其他 skill。

架构说明（重要）： 每个阶段脚本是"prompt generator" — 脚本本身不执行任何业务逻辑，只输出结构化 prompt。真正的执行者是 agent（Claude）。网络操作（GitHub push、clawHub publish）均由 agent 调用 gh CLI 和 clawhub CLI 完成，凭证完全在你的机器上。

核心能力：

能力	说明
全流水线生成	从"想法"到"上线"：Research → Design → SEO → Create → Review → Self-Run → Self-Check → Upload → Verify → Final Review
每日自动选题	凌晨 02:00 cron 自动触发，选最高价值 idea，跑完整流程
手动触发	指定 `--idea` 手动选题，或单独跑某一阶段调试
dry-run 模式	`--dry-run`：执行到 Stage 7 自检后停止，不发起任何网络操作
已有 skill 迭代	对现有 skill 单独跑 SEO / self-check / upload 阶段进行升级

能力边界（不做的事）：

不直接写 skill 源码（源码由 agent 根据 create 阶段 prompt 生成）
不并发生成多个 skill（每次运行产出一个）
不访问或修改除 GITHUB_REPO 和 SKILL_OUTPUT_DIR 以外的任何路径或账号

Instruction Scope

在 scope 内（会处理）：

"帮我自动生成一个 skill" / "skill 流水线跑了没" / "今天出了什么新 skill"
手动触发全流水线或单阶段重跑（如"重跑 SEO 阶段"）
查看流水线状态和历史日志（status.js）
开关每日定时任务（push-toggle on/off）
用 automatic-skill 迭代已有 skill（对现有 skill 升级 / SEO 优化 / 自检 / 上传）

不在 scope 内（不处理）：

直接编写 skill 源码（源码由 agent 执行 create 阶段 prompt 生成，非 automatic-skill 职责）
管理 GitHub 仓库权限、clawHub 账户设置、或任何账户级操作
生成非 openclaw skill 格式的内容（普通项目、应用代码等）
在未设置 GITHUB_TOKEN / GITHUB_REPO / CLAWHUB_TOKEN 的环境中执行 Stage 8（会提示缺少凭证，不会静默失败）

凭证缺失时的行为：

Stages 1–7：无需凭证，正常运行
Stage 8 upload：缺少任意必需凭证 → 打印具体缺失变量名 + 配置指引，停止执行（不静默失败）
--dry-run：完整跳过 Stage 8，可安全在无凭证环境测试前七个阶段

Persistence & Privilege

持久化写入的内容：

路径	内容	触发条件
`SKILL_OUTPUT_DIR/<slug>/`	生成的 skill 文件	Stage 4 Create
`data/current-pipeline.json`	当前流水线运行状态（临时）	每次流水线运行
`data/pipeline-log.json`	历次运行历史（追加写入）	Stage 10 Final Review
`~/.openclaw/crontab`（或系统 cron）	每日定时任务条目	`push-toggle on` 时写入，`off` 时删除

不写入的路径：

不修改 shell 配置文件（~/.zshrc 等）
不写入 GITHUB_TOKEN / CLAWHUB_TOKEN 等凭证到任何文件
不在 SKILL_OUTPUT_DIR 之外创建文件（除 data/ 目录）

权限级别：

运行时以当前用户身份执行，不需要 sudo 或提权
gh CLI 和 clawhub CLI 的权限上限由你配置的 token 范围决定
如需撤销所有权限：push-toggle off（删除 cron）+ 在 GitHub/clawHub 吊销对应 token

Install Mechanism

标准安装（推荐）

从 clawHub 安装到 openclaw workspace：

clawhub install automatic-skill
# 安装路径：~/.openclaw/workspace/skills/automatic-skill/

手动安装

从本地源码目录复制：

cp -r /path/to/automatic-skill ~/.openclaw/workspace/skills/automatic-skill/

验证安装

ls ~/.openclaw/workspace/skills/automatic-skill/scripts/
node ~/.openclaw/workspace/skills/automatic-skill/scripts/status.js
# 应输出：No active pipeline run. / pipeline-log.json 状态

安装后配置

在 shell 环境中设置以下变量（写入 ~/.zshrc 或 ~/.bashrc）：

export GITHUB_TOKEN=<your-github-token>          # repo write scope
export GITHUB_REPO=<owner/repo>                  # e.g. Cosmofang/openclaw-skills
export CLAWHUB_TOKEN=<your-clawhub-token>
export CLAWHUB_OWNER_ID=<your-owner-id>          # optional
export SKILL_OUTPUT_DIR=~/.openclaw/workspace/skills  # optional, this is the default

然后验证认证：

gh auth status        # 应显示 ✓ Logged in
clawhub whoami        # 应返回你的用户名

启用每日自动运行

node scripts/push-toggle.js on
# 注册 cron：每天 02:00 自动跑 daily-pipeline.js

何时使用

用户说"帮我自动生成一个 skill"/"今天有新 skill 吗"/"skill 流水线跑了没"
用户想查看今日生成的 skill 是什么
用户想手动触发某一阶段重跑
用户想查看生成历史或当前流水线状态
用户想用 automatic-skill 迭代/升级/上传某个现有 skill

🔄 10-Stage Pipeline

#	Stage	Script	Description
1	Research	`research.js`	Scan trends, identify skill gaps, output Top-3 ideas
2	Design	`design.js <idea>`	Produce full architecture: file tree, script specs, data schema
3	SEO	`seo.js`	Optimize display name, tagline, description, 30+ keywords
4	Create	`create.js`	Generate all files using design + SEO output
5	Review	`review.js <skill-dir>`	Quality checklist: structure, scripts, content, security
6	Self-Run	`self-run.js <skill-dir>`	Execute every script, verify zero errors
7	Self-Check	`self-check.js <skill-dir>`	Validate required fields, file tree, script signatures
7.5	Safety Check	`scan-check.js <skill-dir>`	Pre-upload credential-safety gate; blocks upload if issues found
8	Upload	`upload.js <skill-dir>`	Create standalone repo + push monorepo; clawhub publish
9	Verify	`verify-upload.js <skill-name>`	Confirm live on GitHub and clawHub
10	Final Review	`final-review.js <skill-name>`	Full report, write to pipeline-log.json

📦 Publishing Convention

Skill Standard Sections

Every skill generated or uploaded by automatic-skill must include all five of the following sections in its SKILL.md, in this order:

#	Section	Required content
1	`## Purpose & Capability`	Core concept + capability table + explicit "Does NOT" boundary
2	`## Instruction Scope`	In-scope examples + out-of-scope list + behavior on missing credentials
3	`## Credentials`	Action/Credential/Scope table (or "no credentials required") — no hardcoded tokens
4	`## Persistence & Privilege`	Paths-written table + "Does NOT write" list + uninstall instructions
5	`## Install Mechanism`	`clawhub install` command + verification step + env var examples

Stage 7 (self-check.js) validates all five sections before allowing upload. Missing or empty section = NEEDS_FIX.

GitHub Distribution

Every skill uploaded by automatic-skill must have both:

Destination	Purpose	Command
`<owner>/<slug>` (standalone repo)	Users can search and find the skill directly on GitHub	`gh repo create <owner>/<slug> --public` → push skill files
`GITHUB_REPO/openclaw/agents/skills/<slug>/` (monorepo)	Registry index — all skills listed in one place	`git add openclaw/agents/skills/<slug>/` → push

Stage 8 always runs standalone repo creation first, then monorepo push.

If the standalone repo already exists, skip creation and force-push the latest files.

🌐 Language Policy

SKILL.md content: English (default)
Conversation with user: match user's language — Chinese if user writes Chinese
JSON logs & reports: English only

🛠️ Usage

# Full pipeline (recommended)
node scripts/pipeline.js                   # auto-select topic, run all stages
node scripts/pipeline.js --idea "daily-poem" # specify topic
node scripts/pipeline.js --dry-run         # run through self-check only, no upload

# Per-stage debug
node scripts/research.js                   # output research prompt
node scripts/design.js "daily-poem"        # output design prompt
node scripts/seo.js --from-pipeline        # output SEO optimization prompt
node scripts/create.js --from-pipeline     # output create prompt
node scripts/review.js /path/skill-dir     # output review prompt
node scripts/self-run.js /path/skill-dir   # output self-run prompt
node scripts/self-check.js /path/skill-dir # output self-check prompt
node scripts/upload.js /path/skill-dir     # output upload prompt (direct push)
node scripts/upload.js --pr /path/skill-dir  # output upload prompt (PR workflow)
node scripts/verify-upload.js skill-name   # output verify prompt (gh api checks)
node scripts/final-review.js skill-name    # output final review prompt

# Status & history
node scripts/status.js                     # current pipeline status
node scripts/status.js --history [N]       # last N runs (default 10)
node scripts/status.js --clear             # clear current pipeline state

# Cron toggle
node scripts/push-toggle.js on             # enable daily 02:00 auto-run
node scripts/push-toggle.js off            # disable
node scripts/push-toggle.js status         # show status

⏰ Cron Setup

openclaw cron add "0 2 * * *" "cd ~/.openclaw/workspace/skills/automatic-skill && node scripts/daily-pipeline.js"
openclaw cron list
openclaw cron delete <job-id>

📁 File Structure

data/
  pipeline-log.json       # append-only history of all pipeline runs
  current-pipeline.json   # transient state during active run
scripts/
  research.js             # stage 1
  design.js               # stage 2
  seo.js                  # stage 3 — SEO optimization
  create.js               # stage 4
  review.js               # stage 5
  self-run.js             # stage 6
  self-check.js           # stage 7
  upload.js               # stage 8
  verify-upload.js        # stage 9
  final-review.js         # stage 10
  pipeline.js             # orchestrator
  daily-pipeline.js       # cron entry point
  status.js               # status query
  push-toggle.js          # cron toggle

⚠️ Notes

Required env vars: GITHUB_TOKEN, GITHUB_REPO, CLAWHUB_TOKEN
Optional: CLAWHUB_OWNER_ID (your clawHub owner ID), SKILL_OUTPUT_DIR (default: ~/.openclaw/workspace/skills)
GitHub operations use the gh CLI (inspired by steipete/github): gh auth status, gh repo view, gh api, gh pr create. Install with brew install gh and run gh auth login before first use.
Stage 8 supports --pr flag for a PR-based GitHub workflow instead of direct push to main.
Stage 9 verifies GitHub state live via gh api repos/{repo}/contents/{path} — no git fetch needed.
Every skill gets a standalone GitHub repo (<owner>/<slug>) in addition to the monorepo entry — this lets users search and discover skills directly on GitHub
On any stage failure the pipeline stops and logs the error — no partial overwrites
--dry-run stops after self-check, no network operations
Full run history in data/pipeline-log.json
All scripts are prompt generators only — no outbound network requests are made by the scripts themselves

🧪 Test Run Log (2026-04-04)

First full dry-run results:

Stage	Status	Notes
1 Research	✅	Scanned 17 existing skills, identified 5 gaps, selected daily-poem
2 Design	✅	Fix: `--from-pipeline` reads from `pipeline.research.selected` not top-level
3 SEO	✅	Added in v1.1.0 — produces displayName, tagline, 30+ keywords
4 Create	✅	Generated 9 files including 4 scripts
5 Review	✅	Score 97/100, 1 warning (empty data array, expected)
6 Self-Run	✅	6 script calls, all passed
7 Self-Check	✅	22/22 checks passed, score 100
8 Upload	✅	dry-run skipped — requires GITHUB_TOKEN / GITHUB_REPO / CLAWHUB_TOKEN
9 Verify	✅	dry-run skipped
10 Final Review	✅	Archived to pipeline-log.json

Environment variables:

export GITHUB_TOKEN=<your-token>
export GITHUB_REPO=<owner/repo>
export CLAWHUB_TOKEN=<your-clawhub-token>
export CLAWHUB_OWNER_ID=<your-owner-id>   # optional
export SKILL_OUTPUT_DIR=~/.openclaw/workspace/skills  # optional

Version: 1.4.1 · Created: 2026-04-04 · Updated: 2026-04-09

Comments

Loading comments...