by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's description matches its behavior, but the runtime instructions reference environment variables and operations (git clones, writing to dotfiles, and a self-upgrade command) that are not declared or constrained — this mismatch warrants caution.
评估建议
This skill appears to do what it says (manage Oh My Zsh plugins and write custom zsh files), but there are three things to watch for before installing or allowing it to run: (1) It references and will likely use git to clone external plugins but doesn't declare 'git' as a required binary — ensure git is present and be aware clones download and run third-party shell code. (2) It reads/writes ~/.zshrc and $ZSH_CUSTOM/*.zsh — allow it only if you trust the changes; review any proposed file content ...详细分析 ▾
⚠ 用途与能力
The skill's stated purpose (manage Oh My Zsh plugins and custom files) matches the instructions. However, it omits declaring practical runtime requirements: external plugin installation requires 'git' and the skill references $ZSH and $ZSH_CUSTOM without listing them in requires.env or required binaries. This omission is an incoherence between claimed capabilities and declared requirements.
⚠ 指令范围
Instructions explicitly tell the agent to modify user files (~/.zshrc and $ZSH_CUSTOM/*.zsh) and to clone arbitrary GitHub repositories. Those actions are within the skill's purpose but are powerful file- and network-level operations. Additionally, SKILL.md includes a 'self-improve' step that directs the agent to run '/skill-manager upgrade omz' after invocation, which causes the agent to attempt to upgrade the skill itself — this is scope-creep that can lead to unexpected self-modification if executed without explicit user consent.
ℹ 安装机制
There is no install spec (instruction-only), which reduces disk-side risk. However, external plugin installation relies on 'git clone' from third-party repos (GitHub). Because the skill will advise or perform network clones, the effective runtime requires network access and git; those expectations should be declared.
⚠ 凭证需求
The skill declares no required environment variables or credentials, yet instructions reference $ZSH and $ZSH_CUSTOM and default paths. While these are not secrets, the mismatch between declared env requirements and referenced env variables is a coherence issue. No sensitive credentials are requested, which is appropriate.
ℹ 持久化与权限
The skill does not request always:true and does not require special system-wide privileges. The only persistence-related concern is the 'self-improve' instruction to run '/skill-manager upgrade omz' — it instructs the agent to upgrade the skill after use, which could change the skill's behavior over time if performed automatically. This should be clarified or gated by explicit user confirmation.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.02026/3/31
Initial release: plugin and custom zsh topics
● Pending
安装命令
点击复制官方npx clawhub@latest install omz
镜像加速npx clawhub@latest install omz --registry https://cn.longxiaskill.com镜像同步中
技能文档
Oh My Zsh plugin management and custom configuration authoring.
Topics
| Topic | Description | Guide |
|---|---|---|
| plugin | Add/install plugins to .zshrc plugins=() array | plugin.md |
| custom | Write $ZSH_CUSTOM/*.zsh based on requirements | custom.md |
Self-Improvement
After this skill invocation completes, self-improve based on the conversation:
- Detect limitations, failures, 或 workaround patterns 对于 skill 在...中 conversation
- 如果 improvement candidates found, run
/skill-manager upgrade omz