ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Openclaw Onboarding

v1.0.0

Guide new users to quickly learn and use OpenClaw features, including setup, skill discovery, memory, self-learning, and group chat summary.

0· 154·3 current·3 all-time
by@binson1994
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description (onboarding/new‑user guide) match the instructions: setup, showing abilities, teaching 'remember' and installing a skill-finder. However some claimed capabilities (summarize arbitrary group chats, create Feishu documents) imply access to external services that the skill does not declare or request credentials for.
!
Instruction Scope
SKILL.md and quickstart explicitly instruct the agent to create ~/.openclaw, write user.md and MEMORY.md (persistent storage), install a local find-skills package, run 'clawhub group-chat-summary' and 'clawhub create-doc' to produce Feishu docs, and later to install third‑party skills. Writing persistent files is expected for onboarding but the instructions also enable autonomous installation and external data access without requiring explicit user confirmation or declared credentials.
Install Mechanism
The skill is instruction-only (no install spec) which is low direct install risk. But the instructions encourage using clawhub and npx skills to install other skills (including using -y/--yes flags and global installs) and to run 'npx skills add' which will fetch code from the network. That implies downstream supply‑chain risk even if this package itself doesn't fetch remote assets.
!
Credentials
The skill declares no required env vars or credentials, yet the runtime steps call out Feishu document creation and group-chat summaries. In practice those operations require connectors/credentials (Feishu tokens, chat API keys, or platform integrations). The absence of declared credential requirements is an incoherence and hides a practical dependency on accounts/keys which affect privacy and access control.
!
Persistence & Privilege
The skill writes persistent files under ~/.openclaw (user.md, MEMORY.md) and teaches automatic saving whenever the user says '记住XXX'. It also instructs installing additional skills automatically (clawhub install ... --yes, npx skills add -g -y). While not marked always:true, this pattern enables an agent to expand its capability and persist data without repeated explicit user confirmation — a privilege that increases blast radius if misused.
What to consider before installing
This onboarding skill is mostly what it says (setup steps, teaching local "memory", installing a local skill-finder), but it has a few risky or unclear behaviors you should consider before installing: - Persistent writes: it will create ~/.openclaw and write user.md and MEMORY.md automatically when you tell it to "记住" something. If you care about sensitive data, avoid saving secrets and consider where those files will be stored/backed up. - Auto-install behavior: the guide installs a 'find-skills' tool and demonstrates running commands that can auto-install other skills (clawhub install, npx skills add) with '-y' or '--yes' flags that skip confirmation. Any skill pulled from the network can run code on your machine — review or sandbox installs, and prefer not to allow automatic global installs without inspection. - External service access not declared: the guide uses commands that create Feishu docs and summarize group chats, but it doesn't list required credentials. Verify which connectors (Feishu, chat platform) are configured and who has access before using those features. - Supply-chain and privilege mitigation: if you proceed, consider (a) running initial installs in a sandbox or VM, (b) inspecting any skill package before allowing network installs, (c) disabling or limiting auto-write of memory files, and (d) removing/asking to remove automatic '-y'/'-g' flags so installations require explicit consent. If you want higher assurance, ask the author for an explicit list of required credentials and which external services are used, or request that installs prompt for confirmation rather than proceeding automatically.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cqwvt96db9ysp27dce4yq9n83jpmv
154downloads
0stars
1versions
Updated 3w ago
v1.0.0
MIT-0
@binson1994
latest
Download

OpenClaw 快速上手技能

引导新用户快速了解OpenClaw龙虾的能力,学会基本用法,5-10分钟即可上手。

功能特点

  • 直白易懂:没有隐喻,直接告诉你能做什么
  • 即学即用:每一步都是立即可用的能力
  • 自主扩展:学会自己找技能、装技能
  • 记忆功能:说"记住"就自动永久保存
  • 群聊总结:不需要拉进群,直接问就行

使用方法

启动上手引导

开始上手


启动培训班

引导流程

  1. 基础配置(2分钟)- 设置姓名、工作、偏好
  2. 发现能力(2分钟)- 问"你都能做什么"查看技能
  3. 学会记忆(1分钟)- 说"记住XXX"体验永久记忆
  4. 自己学技能(2分钟)- 说"自己学习找技能"安装find-skills
  5. 群聊能力(2分钟)- 问"总结XX群"体验群聊分析

核心指令

指令功能
"你都能做什么"查看当前所有能力
"记住XXX"永久记住重要信息
"自己学习找技能"安装技能查找器
"帮我找XXX技能"搜索并安装新技能
"总结一下XX群昨天说了什么"群聊总结

文件说明

openclaw-onboarding/
├── SKILL.md                          # 技能入口
├── README.md                         # 安装教程
└── references/
    └── training/
        └── quickstart.md             # 上手培训班内容

触发关键词

  • "开始上手"
  • "启动培训班"
  • "新手教程"
  • "怎么使用"
  • "不会用"

安装方法

本地安装:

clawhub install ./openclaw-onboarding --local

Comments

Loading comments...