by 安全扫描
OpenClaw
可疑
medium confidenceSkill is largely coherent with an error‑recovery purpose, but it references system state and secrets without declaring them and mentions helper scripts that are missing from the package — review before installing.
评估建议
This skill appears to implement a reasonable 4R error-recovery workflow and includes a harmless local diagnostic script. However: (1) SKILL.md and README reference additional helper scripts (e.g., scripts/error-log.mjs) that are not included — ask the author or check the upstream repo for the missing files. (2) The documentation tells the agent to check environment variables, tokens, and to use sudo/alternate APIs; the skill manifest does not declare any credentials. Before installing, review an...详细分析 ▾
ℹ 用途与能力
Name/description, SKILL.md, README and the included error-diagnose.mjs align with an 'error recovery' helper: a knowledge base and guidance for diagnosing common errors. Minor incoherences: SKILL.md and README refer to additional helper scripts (e.g., scripts/error-log.mjs) and a GitHub repo clone URL that are not present in the file manifest; source/homepage are 'unknown'. These missing artifacts reduce transparency but do not by themselves imply malicious intent.
⚠ 指令范围
Instructions explicitly tell an agent to run system commands (ls, chmod), try sudo, check environment variables and tokens, and use alternate tools/APIs (gh api, GitHub API). While these actions are reasonable for diagnosing errors, the SKILL.md grants broad discretion to read system state and credentials even though the skill's manifest does not declare any required environment variables. That mismatch elevates risk: the agent may access secrets or perform privileged actions without a declared need.
✓ 安装机制
Instruction-only skill with one small local Node script; there is no install spec, no network downloads, and the included script is a local diagnostic printout with no network calls. This is low-risk from an installation perspective.
ℹ 凭证需求
The manifest declares no required environment variables or credentials, yet the guidance discusses checking API keys/tokens and setting env vars (e.g., GIT_CURL_VERBOSE, API keys) and using authenticated APIs. The skill should explicitly declare any credentials it expects; the absence is a transparency gap that could lead to the agent reading secrets without the skill declaring them.
✓ 持久化与权限
Skill is not always:true, does not include an install hook, and does not request persistent system-wide privileges. It references integration with other skills (memory-guard, evr) but does not modify other skills or agent configs in the package. No elevated persistence requested.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/21
Initial release to ClawHub
● 无害
安装命令
点击复制官方npx clawhub@latest install error-recovery-xiaobai
镜像加速npx clawhub@latest install error-recovery-xiaobai --registry https://cn.longxiaskill.com镜像同步中