📦 clawgo-clone — 一键导入模板

Name: clawgo-clone — 一键导入模板
Rating: 1

v1.0.1

通过 key 从 clawgo.me 下载 zip，先备份当前 OpenClaw 工作区，再将模板内容覆盖到本地，实现快速复刻项目。

1· 150·0 当前·0 累计

by @chenjunyeee

开发工具自动化文件处理

下载技能包

最后更新

2026/3/24

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

可疑

medium confidence

NULL

评估建议

This skill does what it says, but take precautions before running it: only use it if you trust clawgo.me and the key's source. Before copying files into your workspace, inspect the zip listing for any path components (../) or absolute paths and for symlinks. Prefer a safer extraction strategy (for example: unzip into a temp dir, reject files whose paths contain '/' or start with '/', reject symlinks, and verify each extracted file is a regular file whose resolved path is inside the temp director...

详细分析 ▾

✓ 用途与能力

Name/description match the instructions: the skill downloads a zip from clawgo.me, backs up ~/.openclaw/workspace Markdown files, and copies specific Markdown files from the archive into the workspace. No unrelated credentials, binaries, or config paths are requested.

⚠ 指令范围

Instructions perform exactly the claimed actions but omit safe-extraction and integrity checks. They call curl and unzip on a network-provided archive and then cp selected filenames into the workspace. Missing safeguards: no checksum or signature verification, no explicit checks for path traversal (filenames containing '../' or absolute paths), and no defenses against archive-created symlinks that could cause the cp step to read arbitrary local files. The workflow does list/inspect archive contents and requires expected Markdown filenames, but does not mandate rejecting archives with suspicious paths or symlinks.

✓ 安装机制

Instruction-only skill with no install spec and no code files — nothing is written to disk by an installer. Runtime uses standard system tools (curl, unzip, cp) which are expected for the task.

✓ 凭证需求

No environment variables, credentials, or config paths are requested. The externally fetched zip is the only external dependency (clawgo.me). This is proportionate to the stated purpose.

✓ 持久化与权限

The skill is not always-enabled and does not request persistent system privileges or modify other skills. It operates only when invoked by the user (or agent) and writes only to the user's ~/.openclaw/workspace and /tmp for backups; this matches its purpose.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv1.0.12026/3/20

NULL

● 可疑

安装命令

点击复制

官方npx clawhub@latest install clawgo-clone

镜像加速npx clawhub@latest install clawgo-clone --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库