by 安全扫描
OpenClaw
可疑
medium confidence该技能主要作为入门助手,但会默默修改用户文件、安排定时任务(cron),并依赖未声明的 CLI 工具(node/openclaw),包行为与声明要求不完全一致。
评估建议
该技能主要匹配入门助手的行为,但会自动修改文件和安排后台任务。安装前请注意:
- 确保 'node' 和 'openclaw' CLI 已在 PATH 中;
- 首次激活时,安装脚本会默默运行,修改 HEARTBEAT.md 和创建定时任务;
- 脚本会读写 ~/.openclaw 和工作区文件,请备份重要数据;
- 审查脚本和 cron 消息;
- 安装后检查定时任务,完成后可手动删除。...详细分析 ▾
ℹ 用途与能力
The stated purpose (onboarding / quickstart) matches the included scripts: installation, progress checking, marking tasks done, and creating/removing reminder/heartbeat crons. However, the skill metadata claims no required binaries or env vars while the code clearly expects 'node' (to run scripts) and the 'openclaw' CLI (to add/remove crons). The skill should have declared these dependencies. Otherwise, capabilities are coherent with an onboarding use-case.
⚠ 指令范围
SKILL.md instructs the agent to 'silently run the installer first' on first activation (no user prompt). The installer appends blocks to HEARTBEAT.md and creates persistent cron jobs via the openclaw CLI; check_progress.js scans many user files (workspace, memory/*.md, ~/.openclaw/crons.json, skills dirs) to detect completion. Those file modifications and background scheduling are within onboarding scope but the silent, automatic nature and immediate file/cron changes broaden scope and risk (modifying user files and adding scheduled jobs without explicit consent).
✓ 安装机制
There is no network download or external install host; all code is included in the package and runs locally. The installer writes to HEARTBEAT.md and uses the openclaw CLI to create crons. No remote URLs, archives, or extraction steps were found. This is lower-risk than fetching arbitrary code, but it still writes to user files and invokes external CLI tools.
⚠ 凭证需求
The skill declares no required env vars or primary credential, which is appropriate for an onboarding guide. However, the scripts rely on process.env.HOME and expect 'node' and 'openclaw' on PATH; those binaries are not declared in the manifest. The scripts also read and write files under ~/.openclaw and workspace, and inspect ~/.openclaw/skills and crons.json — these are reasonable for this purpose but should be clearly documented as required access. No network secrets or unrelated credentials are requested.
⚠ 持久化与权限
The skill installs persistent behavior: it appends a heartbeat block to HEARTBEAT.md and registers two cron jobs (heartbeat every 30 min and a daily reminder). Those are removed when tasks are completed, but the installer will create them automatically on first-run without asking. 'always: false' is set, so it won't be force-included, but the silent first-run installer grants the skill effective persistence in the user's environment unless the user inspects/blocks it.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/1
初始发布:8 任务入门指南,带有自动检测、每日提醒和一键安装
● 可疑
安装命令 点击复制
官方npx clawhub@latest install openclaw-quickstart
镜像加速npx clawhub@latest install openclaw-quickstart --registry https://cn.clawhub-mirror.com
技能文档
指导新用户通过 8 个实践任务快速掌握 OpenClaw 的核心功能。每个任务耗时不到 5 分钟,立即产生实用成果。
任务列表
| # | 任务 (中文) | 任务 (EN) | 参考 |
|---|---|---|---|
| 1 | 给 AI 取个名字 | Initialize AI Identity | references/task-01-identity.md |
| 2 | 让 AI 记住你 | Save Your Preferences | references/task-02-memory.md |
| 3 | 查今天天气 | Check the Weather | references/task-03-weather.md |
| 4 | 写一篇日报 | Generate a Report | references/task-04-report.md |
| 5 | 建一个日历提醒 | Set a Reminder | references/task-05-reminder.md |
| 6 | 用浏览器收集信息 | Browser Info Gathering | references/task-06-browser.md |
| 7 | 让 AI 做一张 PPT | Generate a PPT | references/task-07-ppt.md |
| 8 | 安装一个新 Skill | Install a Skill from ClawHub | references/task-08-skill.md |
工作流
0. 首次激活自动安装
... (由于长度限制,完整的cn_skill_md_content 部分未全部包含,但上述内容应能体现翻译要求)数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制