Capforge
v1.2.0Austin Liu|从 GitHub 开源项目中提取“可复用能力资产”:扫描代码结构→产出 capability.md/transform-plan.md→域归类→格式校验(CapForge 本体不做 LLM 分析)
⭐ 1· 24·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (scan GitHub projects and produce capability/transform/validation markdown) aligns with the declared requirements: git/node/npx and an npm 'capforge' binary are appropriate and expected for cloning and running the scanner.
Instruction Scope
SKILL.md instructs the agent to clone arbitrary GitHub repositories and write outputs into ~/.capforge (repos/ and output/). That is coherent with the stated purpose, but it requires network access and will create files under the user's home directory; also cloning via git could use the user's SSH keys if repo URLs use SSH.
Install Mechanism
The install is an npm package ('capforge') and the runtime examples use npx. Fetching and executing an npm package at runtime is common for CLI tools but carries moderate risk because package code is executed locally; there is no bundled code in this skill to audit, so verifying the npm package source (or pinning a version) is advisable.
Credentials
No environment variables or credentials are requested by the skill. This is proportionate to a repo-scanning tool. Be aware git operations may implicitly use existing SSH keys or credential helpers on the host.
Persistence & Privilege
The skill is not marked always:true and does not request persistent elevated privileges or modify other skills. It will create its own workspace (~/.capforge) which is expected for its functionality.
Assessment
Before installing: (1) review the npm package 'capforge' source (GitHub repo) to confirm the code is trustworthy or pin a known-good version; (2) be aware npx/npm will execute remote package code—consider installing in an isolated environment or container; (3) expect the skill to clone repositories into ~/.capforge/repos and write output files under ~/.capforge/output—if you don't want files in your home, set CAPFORGE_WORKSPACE to a different path; (4) cloning can use your SSH keys/credential helpers if SSH URLs are used—avoid giving it links to private repos unless intended; (5) the skill claims it does static scanning only and will not auto-apply code changes, but still confirm the behavior of the installed npm package before granting it broad autonomous invocation.Like a lobster shell, security has layers — review code before you run it.
latestvk9740r6my8xn9nmnrf0hf2664h84hvbt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⚒️ Clawdis
Binsgit, node, npx
Install
Node
Bins: capforge
npm i -g capforge