📦 Social Hub Server — 关系匹配引擎
v1.0.0独立运行的 OpenClaw 实例,接收用户画像摘要并维护全局注册表,基于处境一致与能力互补算法双向匹配,监控阈值触发通知并收集反馈优化。
0· 1.3k·1 当前·1 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
Before installing or running this skill, get answers to these questions and take these steps:
- Clarify required dependencies and credentials: which LLM/embedding provider(s) will be used, and what environment variables or API keys are required? Where are those keys stored and who can access them?
- Ask for an install spec or code: provide the missing references (message-protocol.md, matching-algorithm.md) and any scripts or container images used to run ChromaDB and the engine so you can review...详细分析 ▾
⚠ 用途与能力
The described purpose (centralized matching engine) plausibly requires storing user profiles, running matching logic, and sending messages to personal Agents. However, the skill's metadata declares no required env vars, binaries, or install steps while the instructions clearly require: (1) an embedding API / LLM API, (2) a ChromaDB vector database, (3) the ability to send/receive messages on an internal group channel, and (4) persistent filesystem access under ~/.matchbot-engine. The absence of any declared credentials, endpoints, or dependency list is disproportionate to the actual runtime needs.
⚠ 指令范围
SKILL.md instructs the agent to read/write local files (~/.matchbot-engine/registry.json, match_history.json, chromadb dir), to call embedding and LLM APIs for scoring, to upsert vectors into ChromaDB, to send/receive structured messages (HEARTBEAT, PROFILE_UPDATE, MATCH_FOUND, etc.), and to run periodic cron jobs. All of those are within what a matching engine would do, but they involve handling sensitive user profile data and require explicit instructions about which APIs/endpoints/credentials to use. The SKILL.md also references external spec files (references/message-protocol.md, references/matching-algorithm.md) that are not provided; that leaves runtime behavior underspecified and gives the agent wide discretion (e.g., which LLM/embedding provider to call and what data to send).
ℹ 安装机制
This is an instruction-only skill (no install spec and no code files). That lowers immediate supply-chain risk, but it also means the instructions assume preinstalled components (ChromaDB, embedding/LLM client libraries, cron integration). The skill does not document how to install or configure those components. Lack of an install/packaging plan is an operational gap that increases the chance of misconfiguration or accidental use of unapproved APIs.
⚠ 凭证需求
The SKILL.md requires access to sensitive user profile data and to external LLM/embedding services, but the registry metadata declares no required environment variables or primary credential. In practice the skill needs credentials (API keys/tokens) for any cloud LLM/embedding provider and possibly connection info for ChromaDB or messaging channels. Asking for none in the manifest is inconsistent and obscures what secrets will be needed and where they might be stored or used.
ℹ 持久化与权限
The skill expects to persist state under ~/.matchbot-engine (registry, history, ChromaDB files) and to be scheduled via cron every 6 hours, etc. It does not set always:true and does not claim to modify other skills; persistence is reasonable for this service. However, persisting full user profiles centrally increases privacy risk and requires explicit retention, access control, encryption, and deletion policies which are not documented in SKILL.md.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/7
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install social-hub-server
镜像加速npx clawhub@latest install social-hub-server --registry https://cn.longxiaskill.com