📦 Kai Master Builder — 高效安全开发
v1.0.1引导智能体快速、安全地构建应用、功能或目标,自动生成项目计划与任务清单,全程辅助开发。
0· 110·0 当前·0 累计
by 下载技能包
最后更新
2026/3/20
安全扫描
OpenClaw
可疑
medium confidenceThe skill's stated purpose (help build projects) is plausible and mostly coherent, but a few mismatches and autonomy suggestions raise caution before installing or scheduling it to run unattended.
评估建议
This skill appears to do what it says (plan tasks and run build/test steps), but exercise caution before using it unattended. Things to consider before installing or scheduling it: 1) Run it in an isolated workspace or container (so tests/builds can't touch your system or secrets). 2) Review any generated/modified code and commits before pushing them. 3) Ensure you understand and restrict what validation commands will run (pytest, npm, pip, doc builds) and install only the tools you trust. 4) Do...详细分析 ▾
ℹ 用途与能力
The skill is an instruction-only 'builder' that creates plans, tasks, and run/test prompts — python3 is a reasonable required binary. However, the runtime instructions reference commands/tools not declared as required (e.g., npm, pytest, pip, doc build commands). The presence of those references without declaring them is an inconsistency (minor but notable).
⚠ 指令范围
The SKILL.md tells the agent to pick tasks, implement code, run validation commands (python3 test_x.py, pytest, pip list, npm list, doc builds) and update project files. Those actions will execute code and modify files in the user's workspace. While expected for a builder skill, the instructions also explicitly encourage autonomous operation (cron / sessions_spawn). Executing arbitrary build/test commands can access the network, installed packages, or system resources — the skill gives broad discretion to run such commands without guardrails.
✓ 安装机制
No install spec or code is included (instruction-only). That minimizes supply-chain risk because nothing is downloaded or written by an installer.
ℹ 凭证需求
The skill requests no environment variables or credentials, and its security checklist discourages hardcoding secrets. That is proportionate. Still, because it runs arbitrary build/test commands, it could read local environment or files if the agent is instructed to do so — the SKILL.md does not enumerate or limit which environment variables or paths the agent may access.
⚠ 持久化与权限
The skill itself is not always-enabled (always: false) and has no install persistence. However, the SKILL.md explicitly recommends setting up cron or using sessions_spawn to run autonomously. Scheduling this skill to run unattended increases risk because it may execute build/test steps and modify files without an explicit human review.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/3/20
- Added keywords "Developer, Code, Engineer" to the skill description for improved discoverability. - No functional or process changes; documentation only.
● 无害
安装命令
点击复制官方npx clawhub@latest install kai-master-builder
镜像加速npx clawhub@latest install kai-master-builder --registry https://cn.longxiaskill.com