📦 open-skills — 技能工具
v2.0.1一个交互式 CLI 工具,帮助开发者按分类浏览、空格多选、一键批量安装/同步 AI Agent skills 到多个编辑器。
0· 20·0 当前·0 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe tool's claimed purpose (interactive CLI to browse and bulk-install skills) matches the codebase, but there are unexplained gaps about runtime requirements, install provenance, and what will be written/executed on your machine — review before installing.
评估建议
Before installing: 1) Verify the package source (npm user/org, repository URL, and commit history); avoid running npx against an unknown publisher. 2) Inspect package.json and any postinstall scripts — npx/npm may run lifecycle scripts. 3) Review the code that writes to editor/config paths (search for target paths in src/core/presets/editors.ts and install/sync code) and back up those editor settings. 4) Expect this tool to perform network downloads and write files into editor skill directories;...详细分析 ▾
ℹ 用途与能力
The repository and SKILL.md match the described purpose: a Node CLI with commands for listing, searching, installing, and syncing skills (src/commands/*.ts, registry resolvers, install/sync code). Bundled skill packages (e.g., deep-research) are reasonably part of a skills manager. However the metadata claims 'required binaries: none' while the package is a Node CLI (package.json, src/cli.ts) and the deep-research bundle documents Python scripts (python3) — so runtime requirements are understated.
⚠ 指令范围
SKILL.md describes selecting editors and auto-download/convert/install — which implies filesystem writes into editor skill/config locations. The registry metadata lists no required config paths, and the skill README doesn't enumerate exactly which editor paths will be modified. The included deep-research bundle further contains autonomous scripts that perform web searches, spawn agents, and write to ~/.claude/research_output/ — these behaviors are reasonable for that bundled skill but increase the overall attack surface. The instructions do not warn users about file writes, network downloads, or running any language runtimes (Node/Python).
⚠ 安装机制
There is no formal install spec in the metadata (instruction-only claim) yet README/SKILL.md recommend an npx command ('npx skills add lumacoder/open-skills -g -y'). The project includes package.json and many source files (TypeScript + Python) indicating it is intended to be installed as an npm package, but 'Source: unknown' and 'Homepage: none' create provenance ambiguity. No explicit external download URLs are listed in install metadata; still, npx/npm will fetch code from a registry — verify the published package/author before running. Bundled Python scripts would execute only if invoked, but the presence of scripts increases risk if the installer executes postinstall hooks (no install spec provided to say it doesn't).
⚠ 凭证需求
The skill declares no required environment variables or credentials, which is plausible for a manager that fetches public skills. However the code contains GitHub resolvers, remote resolvers, adapters, and a 'registry' subsystem that will perform network fetches — private repo installs or some adapters could require tokens (not declared). The deep-research bundle documents use of WebSearch and optional Exa MCP tools and includes Python scripts — so additional runtimes/credentials may be necessary for some functionality even though none are declared.
ℹ 持久化与权限
The skill is not marked always:true and is user-invocable. That is appropriate. However the package contains bundled skills (e.g., deep-research) that are explicitly designed for autonomous operation when triggered (trigger keywords described in deep-research docs). If you install those bundled skills into an agent environment, they may run autonomously when their triggers occur. This is expected behavior for skills but worth noting: autonomous invocation combined with network fetch + file writes increases blast radius.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv2.0.12026/4/16
ahai
● 无害
安装命令
点击复制官方npx clawhub@latest install open-skills
镜像加速npx clawhub@latest install open-skills --registry https://cn.longxiaskill.com镜像同步中
技能文档
安装后运行 open-skills 启动交互式引导:
- 选择目标编辑器(可多选)
- 选择安装范围(全局 / 本地)
- 选择分类(前端 / 后端 / 运维 / 产品 / UI / ...)
- 空格键多选具体 skills
- 确认后自动下载、转换、输出
安装
npx skills add lumacoder/open-skills -g -y
使用
open-skills
支持的目标编辑器
- Claude Code
- Hermes
- Cursor
- Windsurf
- Cline
- Cursor Skills
- Roo-Cline
- Antigravity
- GitHub Copilot