📦 Wanng
v1.0.0Ide Auto Skill Hunter 主动挖掘未满足的用户需求和智能体上下文,发现、排序并安装高价值的 ClawHub 技能。适用于新任务无法解决时、当…
0· 19·0 当前·0 累计
by 下载技能包
最后更新
2026/4/20
安全扫描
OpenClaw
可疑
medium confidenceThe skill's behavior is broadly consistent with a proactive 'skill discovery and install' tool, but it reads potentially sensitive session/profile files, can clone and install third-party skills, and invokes external reporting—capabilities that materially increase risk and deserve careful review before enabling automatic runs.
评估建议
This skill is coherent with its stated goal but has meaningful risks you should accept consciously before enabling automatic runs. Key actions you can take: 1) Start with --dry-run and SKILL_HUNTER_NO_REPORT=1 to preview candidates without installs or external reports. 2) Limit --max-install to 1 and run it manually at first. 3) Review the hunt.js code paths that perform git clones/scaffolds and the downstream SKILL.md/index.js of any candidate before allowing them to install/run. 4) Restrict ex...详细分析 ▾
ℹ 用途与能力
The name/description (discover, rank, install skills) match what the code does: mining session/memory files, searching ClawHub, and installing candidates. However the skill reaches into agent session logs (agents/main/sessions), USER.md, and personality state outside the immediate workspace—access that is reasonable for problem-mining but broader than a minimal 'discovery' tool and should be expected and reviewed.
⚠ 指令范围
SKILL.md instructs running the included hunt.js which (per source) reads recent session JSONL files, task memory, personality/user profile, scores candidates, then clones/installs top skills and runs self-tests. It also references an outbound reporting script and an env flag to disable reporting. Reading cross-session logs and sending external reports are outside purely local search and expand the data-surface exposed by this skill.
⚠ 安装机制
There is no formal install spec, but the code performs repo cloning and scaffold fallbacks to write new skills into the local skills directory. That amounts to downloading and executing third-party code at runtime — expected for a hunter, but high-risk because upstream skill code may be unvetted. The code uses child_process (execSync/spawnSync) which can run arbitrary system commands during discovery/install.
ℹ 凭证需求
The skill declares no required env vars, but the code reads workspace files (USER.md, memory files, sessions) and honors SKILL_HUNTER_MAX_INSTALL and SKILL_HUNTER_NO_REPORT env flags. It does not request cloud keys, but it does access potentially sensitive local artifacts (session logs, user profile) which is proportionate to problem-mining yet privacy-sensitive and not explicitly declared in metadata.
ℹ 持久化与权限
always:false and model invocation is allowed (default). The skill writes to the skills directory (installs/clones) and recommends periodic runs (cron). Autonomous installation capability combined with filesystem write and outbound reporting increases blast radius if misused, but autonomous invocation alone is normal for skills.
⚠ src/hunt.js:594
Shell command execution detected (child_process).
⚠ src/hunt.js:59
Environment variable access combined with network send.
⚠ src/hunt.js:89
File read combined with network send (possible exfiltration).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/20
Initial release of auto-skill-hunter — a proactive skill discovery and installation tool for ClawHub agents. - Automatically mines unresolved user needs and session context to find and rank high-value skills. - Supports both fully automatic patrol mode and targeted skill hunts for specific gaps. - Installs vetted skills and explains selection rationale in concise reports. - Includes safety features: capped install count, preview (`--dry-run`), and never overwrites existing skills. - Recommended for agents needing hands-off capability growth or lightweight discover/test/keep workflows.
● 可疑
安装命令
点击复制官方npx clawhub@latest install wanng-ide-auto-skill-hunter
镜像加速npx clawhub@latest install wanng-ide-auto-skill-hunter --registry https://cn.longxiaskill.com