Dynamic Skill Manager
Track skill usage, find idle skills, and safely manage skill lifecycle.
⚠️ Security Notice
v0.2.0 includes critical security fixes:
- - Path traversal vulnerability fixed in �INLINECODE0
- Input validation for all skill names
- Symlink attack prevention
- System skill protection
Core Concepts
| 概念 | 说明 |
|---|
| Dynamic Skill | 按需安装的 skill,可清理 |
| Pinned Skill |
系统 skill,受保护不可删除 |
|
Registry | skill 元数据存储 |
自动保护的系统 Skills:self-improving-agent, pahf, error-log-selfcheck, �INLINECODE4
Quick Start
CODEBLOCK0
Data Location
CODEBLOCK1
Registry Schema
CODEBLOCK2
Integration Points
- - After skill use: �INLINECODE5
- On user request:
list_skills(), �INLINECODE7
Security Features
The uninstall_skill() function includes multiple safety checks:
- 1. Input Validation: Skill names must be alphanumeric with dashes/underscores only
- Path Traversal Prevention: Resolves paths and verifies containment within skills directory
- Symlink Detection: Rejects symlinks to prevent attacks
- System Skill Protection: Prevents accidental deletion of critical skills
Script Reference
See scripts/skill_manager.py for implementation.
Dynamic Skill Manager
追踪技能使用情况,查找闲置技能,并安全管理技能生命周期。
⚠️ 安全通知
v0.2.0 包含关键安全修复:
- - 修复了 uninstall_skill() 中的路径遍历漏洞
- 对所有技能名称进行输入验证
- 防止符号链接攻击
- 系统技能保护
核心概念
系统技能,受保护不可删除 |
|
注册表 | 技能元数据存储 |
自动保护的系统技能:self-improving-agent, pahf, error-log-selfcheck, dynamic-skill-manager
快速开始
bash
同步已安装技能到注册表
python3 ~/.openclaw/workspace/skills/dynamic-skill-manager/scripts/skill_manager.py sync
列出所有技能(📌 = 固定)
python3 ~/.openclaw/workspace/skills/dynamic-skill-manager/scripts/skill_manager.py list
查看系统技能
python3 ~/.openclaw/workspace/skills/dynamic-skill-manager/scripts/skill_manager.py pinned
查找闲置技能(N 天未使用)
python3 ~/.openclaw/workspace/skills/dynamic-skill-manager/scripts/skill_manager.py idle 30
安全卸载技能(有输入验证)
python3 ~/.openclaw/workspace/skills/dynamic-skill-manager/scripts/skill_manager.py uninstall <技能名称>
记录技能使用
python3 ~/.openclaw/workspace/skills/dynamic-skill-manager/scripts/skill_manager.py track <技能> <上下文>
数据位置
~/.openclaw/workspace/.skill-manager/
├── registry.json # 技能元数据
├── usage-log.jsonl # 使用历史
└── archive/ # 已卸载技能的元数据
注册表结构
json
{
skills: {
skill-name: {
installed_at: 2026-03-07T03:00:00Z,
source: clawhub,
usage_count: 5,
last_used: 2026-03-07T03:00:00Z,
context_keywords: [keyword1],
pinned: false
}
}
}
集成点
- - 技能使用后:trackusage(skillname, contextsummary)
- 用户请求时:listskills(), findidleskills(days)
安全特性
uninstall_skill() 函数包含多重安全检查:
- 1. 输入验证:技能名称只能包含字母数字、短横线和下划线
- 路径遍历防护:解析路径并验证其位于技能目录内
- 符号链接检测:拒绝符号链接以防止攻击
- 系统技能保护:防止意外删除关键技能
脚本参考
实现详见 scripts/skill_manager.py。
