by 安全扫描
OpenClaw
安全
medium confidenceThe skill's code, hooks, and instructions are coherent with a lazy-loading agent registry: it indexes agents, offers search/get/list CLI tools, and installs a hook that auto-suggests agents on each user prompt; nothing requested is disproportionate to that purpose, though there are operational/privacy considerations to review before installing.
评估建议
This Agent Registry appears to do what it says: index agents, search by intent, and lazily load agent content. Before installing: (1) review the code (especially lib/registry.js and lib/telemetry.js) to verify the path-confinement logic and telemetry behavior; (2) prefer the default non-destructive migration (do not use --move unless you intend to relocate files); (3) note that the hook runs on every prompt and will inject agent suggestions automatically (disable or uninstall if you do not want ...详细分析 ▾
✓ 用途与能力
Name/description match the actual behavior: the repository contains a registry index, BM25 search, CLI commands (search/get/list/rebuild/init), and a UserPromptSubmit hook that implements the described lazy-loading and discovery flow. The migration/copy/move functionality is appropriate for a registry tool.
ℹ 指令范围
The registered hook (hooks/user_prompt_search.js) runs on every user prompt, reads the local registry.json inside the skill, and may inject additionalContext with matching agent names/summaries. This is within the described purpose but is broad in scope (automatic per-prompt behavior) and affects what Claude sees for every conversation; the migration scripts also scan ~/.claude/agents/ and the project's .claude/agents/ to copy or move agent files (move is opt-in).
ℹ 安装机制
There is no platform-level install spec in the SKILL.md, but the bundle includes an install.sh and recommends using npx skills add or cloning. The installer copies files into ~/.claude/skills/agent-registry/ and will optionally install @clack/prompts only when --install-deps is used. This is reasonable, but the README's npx/npm install suggestions imply pulling code from an external registry/repo—review the remote source before running network-based installers.
✓ 凭证需求
The skill declares no required env vars or credentials. Telemetry exists but is opt-in (AGENT_REGISTRY_TELEMETRY), and code paths respect opt-out flags per the docs. No secrets or unrelated credentials are requested by the skill.
ℹ 持久化与权限
The skill installs a per-prompt hook (UserPromptSubmit) which will run automatically when the skill is enabled — this is expected for discovery behavior. always:false and no elevated OS privileges are requested. Because the hook runs on every prompt, users should be aware of the continuous runtime presence and the fact that installing/enabling the skill grants it the ability to inject additionalContext into conversations.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv2.0.12026/1/21
agent-registry v2.0.1 - Migrated all CLI scripts from Python to faster Bun/JavaScript implementations. - Introduced user prompt hook for agent search (integrated with Claude's plugin system). - Enhanced install process: optional dependency install for improved UI, Bun-first workflow, Python no longer required. - Added modern interactive migration UI using @clack/prompts (with fallback to basic text selection). - Updated docs and commands to reflect new Bun-based CLI; all registry operations via `bun bin/*.js`.
● 可疑
安装命令
点击复制官方npx clawhub@latest install agent-registry
镜像加速npx clawhub@latest install agent-registry --registry https://cn.longxiaskill.com