📦 MyVibe Skills — 发布网页内容
v1.0.0将静态 HTML、ZIP 压缩包或整个目录快速发布到 MyVibe 平台,一键上线网页内容,无需额外配置。
0· 1.0k·0 当前·0 累计
by @zhuzhuyule下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill generally does what it claims, but it requires running network-enabled commands, installing npm packages (potentially globally), starting local servers, and writing files in your home and /tmp directories. Before installing or invoking it: 1) Review scripts/utils/auth.mjs to see how access tokens are obtained/stored and where tokens are written; 2) Audit package.json/package-lock.json (and the @aigne dependencies) for any packages you don't trust; 3) Avoid granting a broad/elevated sa...详细分析 ▾
✓ 用途与能力
The name/description (publish static HTML/ZIP/dir to MyVibe) matches the included scripts: uploading via TUS, conversion polling, screenshot generation and publishing metadata. Reading git remote, zipping directories, creating screenshots, and uploading are all coherent with the stated purpose.
⚠ 指令范围
SKILL.md instructs the agent to run network-enabled Bash commands, potentially globally install agent-browser (npm install -g agent-browser), run `npx http-server`, run `agent-browser` (which manages Chromium), run `npm install` for script dependencies, and run git commands. Those steps require filesystem access, process spawning, network access, and installing third‑party software — broader scope than a purely read-only metadata extractor. The instruction to run Bash commands with `sandbox_permissions=require_escalated` is unusual and raises privilege concerns.
ℹ 安装机制
There is no formal install spec, but package.json and package-lock.json are included and the SKILL.md explicitly tells operators to run `npm install` (or `npm install -g agent-browser`) and uses `npx` to run http-server. This means dependencies will be fetched from the npm registry at runtime (moderate risk). No downloads from suspicious URLs were found, but dynamic installs and npx execution increase attack surface.
✓ 凭证需求
The skill does not request unrelated environment variables or cloud credentials. It performs reasonable local operations for publishing (reads files, reads git remote, writes publish history to ~/.myvibe, creates /tmp artifacts) and uses an OAuth/authorization flow (getAccessToken) rather than asking for secrets in env vars. Those behaviors are proportional to the publishing task but involve storing state in the user's home directory and using bearer tokens at runtime.
ℹ 持久化与权限
The skill is not 'always' installed. It does persist publish history to ~/.myvibe/published.yaml and writes /tmp screenshot result files. The runtime instructions may install global binaries (agent-browser) and run npx which can add software to the environment. The SKILL.md request to run commands with elevated sandbox/network permissions is notable and increases the blast radius if granted.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/10
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install myvibe-skills
镜像加速npx clawhub@latest install myvibe-skills --registry https://cn.longxiaskill.com