📦 The Synthetic Context Generator — 合成上下文
v1.0.2为 AI 编码任务量身定制上下文窗口,自动聚合相关代码模式、常见陷阱、StackOverflow 解决方案及本地项目信息,提升补全与问答精度。
0· 132·0 当前·0 累计
by 下载技能包
最后更新
2026/4/21
安全扫描
OpenClaw
安全
high confidenceThe skill's code, instructions, and dependencies are consistent with its stated purpose of building curated context windows from a local project, a built-in knowledge base, and StackOverflow; nothing requests unrelated credentials or hidden endpoints.
评估建议
This skill appears to do what it says: it will read and index any project path you give it, combine results with its built-in knowledge base, and fetch relevant StackOverflow answers. Before using it: (1) do not point it at directories that contain secrets (private keys, .env files, credential stores) because those files can be read and included in outputs; (2) consider running it in a non-sensitive workspace or with a copy of your repo; (3) be aware outputs may include snippets from your codeba...详细分析 ▾
✓ 用途与能力
Name/description say: generate context windows from local code, a KB, and web (StackOverflow). The code implements a CLI that parses goals, searches a built-in knowledge base, optionally indexes/searches a user-specified local project, and queries the StackExchange API. Declared dependencies (fuse.js, tiktoken, glob, commander) match these capabilities. The presence of dotenv in package.json and dotenv usage shown only inside KB samples is slightly unnecessary but not harmful; overall the required assets align with the stated purpose.
ℹ 指令范围
SKILL.md and the CLI explicitly read and index files under any project path you provide (glob patterns include many code and text file types) and fetch StackOverflow results. This is expected for a context generator, but it does mean any files you point at (including secrets or credentials) will be read and appear in outputs. The skill does not attempt to read system-wide config paths or other unrelated locations. Implementation detail: searchLocal auto-triggers indexProject without awaiting it which can cause timing issues but not a security violation.
✓ 安装机制
No install spec is provided by the registry (instruction-only install). The project includes normal npm dependencies sourced from the public registry (package.json/lock present). There are no external arbitrary download URLs or archive extracts. Risk here is standard for installing third‑party Node packages.
✓ 凭证需求
The skill declares no required environment variables or credentials. The code itself does not attempt to access secrets or remote APIs that require credentials. Note: KB examples contain code snippets that reference environment variables (e.g., JWT_SECRET, dotenv), but those are inert examples and not runtime requirements of the skill.
✓ 持久化与权限
The skill does not request persistent, elevated platform privileges and 'always' is false. Its indexing stores data in module-level variables (in-memory) and does not persist indexes to disk or modify other skills. The CLI exposes an 'index' command to build an in-memory index for the running process only.
⚠ src/sources/knowledgeBase.js:42
Dynamic code execution detected.
⚠ src/sources/knowledgeBase.js:131
Environment variable access combined with network send.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.22026/3/20
Remove web UI, CLI only
● 无害
安装命令
点击复制官方npx clawhub@latest install scg
镜像加速npx clawhub@latest install scg --registry https://cn.longxiaskill.com镜像同步中