📦 Ai — AI
v1.0.0Skill Optimizer 1.1.0 AI公司 Skill 优化工作流(CTO 性能工程 + CISO 安全优化标准版)。当需对现有 Skill 进行性能优化、Token 节省、上下文精简、安全加固、代码重构、质量提升时触发。 触发关键词:优化技能、优化 Skill、节省 Token、精简 Skill、重构 Skill、提升 Skill 质量、安全加固
0· 16·0 当前·0 累计
by 下载技能包
最后更新
2026/4/19
安全扫描
OpenClaw
可疑
medium confidence该技能作为优化器整体较为连贯(可读取并修改其他技能,并提供测量/加固流程),但存在若干操作与授权缺口,可能导致未经授权或意外的其他技能修改。
评估建议
This skill appears to do what it says (inspect and modify other skills), but before installing or enabling it consider: 1) Where and how is the CISO-001 authorization managed? The SKILL.md treats it as a plain string — require cryptographic/identity-backed authorization or multi-party approval before allowing security-harden tasks. 2) Confirm the platform will enforce 'isolated' sessions and L3 read/write restrictions (and that the skill's metadata lists any required config paths) so it cannot a...详细分析 ▾
✓ 用途与能力
The skill's name and SKILL.md describe an optimizer that must inspect, measure, and apply changes to other skills; the instructions and reference docs match that purpose. However, the SKILL.md expects the agent to have read/write access to a skills area (mentions L3 privilege: read skills/, write optimization results) while the skill metadata declares no required config paths or credentials — this is an operational mismatch (the skill will need filesystem/skill-store access even though none is declared).
⚠ 指令范围
Instructions explicitly tell agents to read other skills, run baselines, run regressions, and apply changes (including security hardening). That behavior is consistent with an optimizer, but security-sensitive: the 'security-harden' task requires an authorization value 'CISO-001' that the docs validate only as a string equality check (no cryptographic or identity binding). In practice that means any caller able to set that param could trigger code-modifying hardening. The SKILL.md also assumes agent APIs like sessions_send/sessions_spawn and an isolated execution environment; if the platform does not enforce those constraints, the skill could be used to change other skills without proper human review.
✓ 安装机制
Instruction-only skill with no install spec and no code files executed on install — this is low risk from an install standpoint.
ℹ 凭证需求
The skill requests no environment variables or binaries, which is appropriate for an instruction-only optimizer. However, it implicitly requires access to other skills' code/config (read/write) and to run tests/regressions; those operational privileges are not declared in metadata as required config paths or credentials, creating a gap between declared and real access needs.
⚠ 持久化与权限
always:false (good) and user-invocable:true (expected). But the skill's documented behavior includes writing optimization results and applying code changes to other skills (security-harden, performance patches). Modifying other skills' contents is a high-impact privilege; combined with the weak 'CISO-001' string-based authorization and lack of declared required permissions, this raises a privilege/persistence concern if the platform does not enforce isolation, audit, or stronger authorization.
安全有层次,运行前请审查代码。
运行时依赖
🖥️ OSLinux · macOS · Windows
版本
latestv1.0.02026/4/19
ai-skill-optimizer 1.1.0 推出以安全为核心的综合框架与全新 API 层,实现系统化 Skill 优化。 - 新增标准化 Agent API,具备强参数校验与显式错误码,支持安全可审计的优化请求(token、性能、安全、质量)。 - 强制实施 CISO-001 授权以加固安全;所有 Agent 间调用须严格会话隔离。 - 文档化端到端优化流程,含基线测量、改进目标与回退防护。 - 强化安全控制:防路径遍历、最小权限执行、自动回滚。 - 扩展任务 schema、返回格式及面向 CTO/CISO/CQO 的真实用例。
● 无害
安装命令
点击复制官方npx clawhub@latest install ai-skill-optimizer-1-1-0
镜像加速npx clawhub@latest install ai-skill-optimizer-1-1-0 --registry https://cn.longxiaskill.com