ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

prompt-buddy

v0.1.0

【全局强制技能】每次用户输入后必须执行此技能。 执行命令:cd ~/.openclaw/workspace/skills/promptbuddy && python3 scripts/smart_engine.py -f json "用户输入" 从返回JSON提取:optimized_prompt(优化后的Pro...

0· 13·0 current·0 all-time
by@steventsang18
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The declared purpose (prompt optimization) matches the idea of invoking a 'smart_engine' script, but the skill bundle contains no code or install steps while the SKILL.md instructs the agent to run a local script at ~/.openclaw/workspace/skills/promptbuddy/scripts/smart_engine.py. Asking the agent to execute a script that is not part of the skill package is incoherent and creates room for unexpected behavior.
!
Instruction Scope
Runtime instructions explicitly require executing a local Python script with the user's full input on every user turn and extracting JSON from its output. This means the agent will run arbitrary code located at the specified path; the SKILL.md also insists this must be run '每次用户输入后' (on every user input). The instructions do not constrain or verify the script's behavior, nor do they include a fallback when the path/script is missing.
!
Install Mechanism
There is no install specification and no code files in the package, yet runtime assumes a local script exists. While 'no install' usually lowers risk, here it increases it: the skill depends on a filesystem artifact outside the package. That creates a high-risk implicit dependency (the agent will execute whatever is at that path).
Credentials
The skill requests no environment variables, no credentials, and no config paths beyond the single hardcoded workspace path. There are no declared secrets or unrelated credentials requested.
!
Persistence & Privilege
SKILL.md claims the skill must run on every user input (a globally forced behavior), but the registry flags do not set always:true. This mismatch is a red flag: the skill either (a) incorrectly documents a global mandate, or (b) expects operator configuration changes to make it global. Either case broadens runtime impact and should be clarified before use.
What to consider before installing
Do not install or enable this skill without further checks. Key things to verify before trusting it: (1) Confirm whether the repository/package actually includes scripts/smart_engine.py — currently the skill bundle has no code. If the script is present, inspect its source thoroughly to ensure it doesn't exfiltrate data or run unsafe operations. (2) Clarify the global-run requirement: if you do not want the skill executed on every user input, keep always:false and disable autonomous invocation. (3) Prefer skills that include their runtime code or a vetted install step (so there is no silent dependence on a local file). (4) If you must test, run the agent in a sandboxed environment and review logs/output of the invoked script before enabling it for real users.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fdx66ps27kc1ayd8jj1ty3d846s8h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

PromptBuddy - 智能 Prompt 伙伴

⚠️ 执行要求

每次用户输入后,必须执行以下命令:

cd ~/.openclaw/workspace/skills/promptbuddy && python3 scripts/smart_engine.py -f json "用户的完整输入"

处理返回结果

从 JSON 中提取 optimized_prompt 字段。

输出优化后的 Prompt

在回答用户问题前,展示优化效果:

┌─────────────────────────────────────┐
│ 🤖 PromptBuddy 已优化你的问题       │
│                                     │
│ [角色设定] 你是一位专业的推理专家    │
│ [指令] 火箭如何上天?               │
│ [推理要求] 让我们一步一步思考:      │
│ 1. 首先分析问题的核心要素...        │
│ ...                                 │
└─────────────────────────────────────┘

输出规则

  1. 显示 optimized_prompt 的前 6-8 行
  2. 省略后续内容用 "..." 表示
  3. 让用户看到他的口语化问题被转化成什么

不同场景的展示

场景 1:需要优化

用户: "火箭如何上天?"

执行脚本后返回:

{
  "action": "auto_output",
  "optimized_prompt": "[角色设定] 你是一位专业的推理专家\n[指令] 火箭如何上天?\n[推理要求] 让我们一步一步思考:\n1. 首先分析问题的核心要素和已知条件\n2. 然后考虑相关的约束条件和隐含信息\n..."
}

输出:

┌─────────────────────────────────────┐
│ 🤖 PromptBuddy 已优化你的问题       │
│                                     │
│ [角色设定] 你是一位专业的推理专家    │
│ [指令] 火箭如何上天?               │
│ [推理要求] 让我们一步一步思考:      │
│ 1. 首先分析问题的核心要素...        │
│ 2. 然后考虑相关的约束条件...        │
│ ...                                 │
└─────────────────────────────────────┘

作为推理专家,让我一步一步分析...
[继续回答]

场景 2:跳过优化

用户: "今天天气怎么样"

执行脚本后返回:

{
  "action": "skip",
  "reason": "简单查询,跳过优化"
}

输出:

┌─────────────────────────────────────┐
│ 🤖 PromptBuddy                      │
│ 你的问题是简单查询,直接回答即可     │
└─────────────────────────────────────┘

[直接回答用户]

核心理念

用户关心的是:我的问题变成了什么

  • ✅ 展示优化后的 Prompt 内容
  • ✅ 让用户看到口语化 → 结构化的转化
  • ❌ 不要只展示技术参数(意图、模板、置信度)

示例对照

❌ 旧方式(不要)

┌─────────────────────────────────────┐
│ 🤖 PromptBuddy 分析                 │
│ 意图: reasoning                     │
│ 模板: cot                           │
│ 置信度: 0.43                        │
└─────────────────────────────────────┘

✅ 新方式(采用)

┌─────────────────────────────────────┐
│ 🤖 PromptBuddy 已优化你的问题       │
│                                     │
│ [角色设定] 你是一位专业的推理专家    │
│ [指令] 火箭如何上天?               │
│ [推理要求] 让我们一步一步思考...    │
└─────────────────────────────────────┘

重要: 展示转化效果,让用户感知 PromptBuddy 的价值。

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…