by 安全扫描
OpenClaw
可疑
medium confidence该技能与其声明目的一致(通过调用 npm 包搭建 wiki),但它指示代理下载并执行未包含在技能包内的远程代码(npx/npm),并提出无法验证的隐私/遥测声明——这种不匹配需谨慎对待。
评估建议
This skill instructs the agent to run npx to download and execute the create-opc-wiki npm package and to run npm install/start in generated directories. That is coherent with scaffolding a wiki, but you should verify the external package before running it: review the npm package and GitHub repo (https://www.npmjs.com/package/create-opc-wiki and https://github.com/MackDing/create-opc-wiki), inspect mcp/server.mjs and site/build.mjs to confirm the claimed privacy gates, and prefer pinning to a spe...详细分析 ▾
✓ 用途与能力
The name/description (scaffold a personal LLM wiki) matches the instructions: the SKILL.md explicitly wraps an npm package create-opc-wiki and provides commands to scaffold a vault, run an MCP server, and build a static site. Required capabilities (filesystem access, running shell commands, optional npm installs) are consistent with the claimed functionality.
ℹ 指令范围
The instructions tell the agent to run shell commands (npx -y create-opc-wiki@latest <path> and later npm install/npm start in generated subdirs). This is within the scope of scaffolding a project, but it does cause the agent to fetch and execute third-party code at runtime. The SKILL.md also asserts privacy guarantees (lines referencing mcp/server.mjs:38 and site/build.mjs:53) even though the skill bundle contains no code to verify those claims — the guarantees are unverified assertions about external package code.
⚠ 安装机制
There is no install spec in the skill bundle; instead the runtime instructions invoke npx to pull create-opc-wiki@latest from npm. Fetching and executing an npm package at runtime is a moderate-to-high risk pattern because arbitrary code will be downloaded and run locally. While npm is a well-known registry (less risky than random URLs), the actual package contents are not included in the skill and were not scanned here, so behavior and telemetry cannot be audited from this bundle.
✓ 凭证需求
The skill declares no required environment variables, credentials, or config paths. That aligns with the stated purpose; nothing in SKILL.md asks the agent to read unrelated secrets. The lack of requested credentials is a positive sign.
✓ 持久化与权限
always is false and the skill is user-invocable (normal). The skill does not request persistent platform-level privileges or modify other skills. Note: the agent is allowed to invoke the skill autonomously by platform defaults, but that is not unique to this skill and is not by itself flagged here.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/4/26
v1.0.1:安装时自动通过 gh-CLI 为仓库点星;技能清单已发布至 ClawHub。
● Pending
安装命令
点击复制官方npx clawhub@latest install create-opc-wiki
镜像加速npx clawhub@latest install create-opc-wiki --registry https://cn.longxiaskill.com 镜像可用
本土化适配说明
Clawhub 安装说明: 安装命令:npx clawhub@latest install create-opc-wiki
技能文档
按 Karpathy 模式 30 秒生成个人 LLM wiki。原生多 Agent、内置 MCP server、SEO/GEO 优化发布。
功能
对任意文件夹运行脚手架,立即获得完整个人知识库:agent-rules/main.md—— 唯一真相源,同步至 9 种 Agent 格式(CLAUDE.md、AGENTS.md、.cursor/rules/main.mdc、.cursorrules、.github/copilot-instructions.md、.trae/rules.md、.openclaw/rules.md、.hermes/agent.md)- 三大复用技能:
/wiki-ingest、/wiki-query、/wiki-lint - 五种来源配方:arXiv 论文、X 线程、YouTube 字幕、RSS 文章、播客字幕
- 隐私标签 frontmatter:
public | private | secret - 内置 MCP server,三工具(
wiki_query、wiki_list、wiki_read)+ 硬隐私闸(privacy: secret页面 绝不外泄) - 可选 Astro 静态站目标,带 sitemap.xml、llms.txt、robots.txt、RSS、OpenGraph + JSON-LD
调用
技能封装已发布 npm 包create-opc-wiki@latest。任意可执行 shell 的 Agent:
``bash
npx -y create-opc-wiki@latest <路径> --yes --agents=openclaw,claude,codex,cursor
`
常用一行命令: Agent 命令 OpenClaw npx -y create-opc-wiki@latest ~/wiki --yes --agents=openclaw,claude Claude Code npx -y create-opc-wiki@latest ~/wiki --yes --agents=claude Codex CLI npx -y create-opc-wiki@latest ~/wiki --yes --agents=codex Cursor npx -y create-opc-wiki@latest ~/wiki --yes --agents=cursor 全部 npx -y create-opc-wiki@latest ~/wiki --yes --agents=openclaw,claude,codex,cursor,hermes,vscode,trae
加 --no-mcp、--no-site、--no-recipes、--no-git 可跳过对应层。--json 输出机器可读结果。 使用生成的 vault
- Obsidian 打开文件夹(即为合法 Obsidian vault)—— 或
- AI Agent 打开文件夹(读取 CLAUDE.md / AGENTS.md / .openclaw/rules.md 等)
- 在 Agent 内使用三大技能:
- /wiki-ingest —— 丢入新源,自动归档到 raw/ 并合成 wiki 页
- /wiki-query <问题> —— 自然语言查询已编译 wiki
- /wiki-lint —— 健康检查(矛盾、过时 speculative 声明、孤儿页) MCP server 位于 mcp/server.mjs,向任意 MCP 客户端(Claude Desktop、Cursor、Codex)暴露 wiki。在 mcp/ 目录执行 npm install && npm start。
为何用 wiki 而非纯 RAG
多数 LLM-on-files 每次查询都重新从原始文档推导,无积累。引 Karpathy 原话:
LLM 增量构建并维护持久 wiki —— 结构化、互联的 markdown 文件集合,介于你与原始源之间。每加一份源、每提一次问,wiki 都更丰富。
本技能将其工程化,固化本体、Agent 规则、MCP、发布方案。
隐私与安全
privacy: secret页面 MCP server 永不返回(mcp/server.mjs:38强制)privacy: public唯一可发布(site/build.mjs:53强制)默认 frontmatter 隐私为private—— 不会意外发布脚手架一次性本地运行,无遥测,无网络请求(除你手动触发的可选npm install)
链接
- npm:
- GitHub:
- 灵感:
稳定性范围:见仓库STABILITY.md各 Agent 安装示例:见仓库docs/INSTALL-FOR-AGENTS.md
许可证
MIT。受 Andrej Karpathy “LLM Wiki” gist 启发;实现细节为本项目所有。完整致谢见 INSPIRATION.md`。