skillnet
SkillNet enables users to search, create, and evaluate reusable agent skills, enhancing efficiency in task management.
Install this skill
Security score
The skillnet skill was audited on Feb 26, 2026 and we found 46 security issues across 3 threat categories, including 2 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Access to hidden dotfiles in home directory
| 100 | skillnet download "<skill-url>" -d ~/.openclaw/workspace/skills |
Access to hidden dotfiles in home directory
| 107 | ls -la ~/.openclaw/workspace/skills/<skill-name>/ |
Access to hidden dotfiles in home directory
| 110 | head -20 ~/.openclaw/workspace/skills/<skill-name>/SKILL.md |
Access to hidden dotfiles in home directory
| 113 | cat ~/.openclaw/workspace/skills/<skill-name>/SKILL.md |
Access to hidden dotfiles in home directory
| 116 | ls ~/.openclaw/workspace/skills/<skill-name>/scripts/ 2>/dev/null |
Access to hidden dotfiles in home directory
| 135 | ls ~/.openclaw/workspace/skills/ |
Access to hidden dotfiles in home directory
| 136 | grep -rl "<keyword>" ~/.openclaw/workspace/skills/*/SKILL.md 2>/dev/null |
Access to hidden dotfiles in home directory
| 168 | --output-dir ~/.openclaw/workspace/skills |
Access to hidden dotfiles in home directory
| 171 | skillnet create --office report.pdf --output-dir ~/.openclaw/workspace/skills |
Access to hidden dotfiles in home directory
| 174 | skillnet create trajectory.txt --output-dir ~/.openclaw/workspace/skills |
Access to hidden dotfiles in home directory
| 178 | --output-dir ~/.openclaw/workspace/skills |
Access to hidden dotfiles in home directory
| 184 | skillnet evaluate ~/.openclaw/workspace/skills/<new-skill> |
Access to hidden dotfiles in home directory
| 201 | skillnet evaluate ~/.openclaw/workspace/skills/my-skill |
Access to hidden dotfiles in home directory
| 212 | skillnet analyze ~/.openclaw/workspace/skills |
Access to hidden dotfiles in home directory
| 220 | skillnet analyze ~/.openclaw/workspace/skills |
Access to hidden dotfiles in home directory
| 228 | skillnet evaluate ~/.openclaw/workspace/skills/skill-a |
Access to hidden dotfiles in home directory
| 229 | skillnet evaluate ~/.openclaw/workspace/skills/skill-b |
Access to hidden dotfiles in home directory
| 232 | `skillnet analyze` only generates a report — it never modifies or deletes skills. Any cleanup actions (removing duplicates, pruning low-quality skills) require user confirmation before executing. Use |
Access to hidden dotfiles in home directory
| 243 | | User provides a GitHub URL | Confirm with user → `skillnet create --github <url> -d ~/.openclaw/workspace/skills` → evaluate → read SKILL.md → apply | |
Access to hidden dotfiles in home directory
| 244 | | User shares a PDF/DOCX/PPT | Confirm with user → `skillnet create --office <file> -d ~/.openclaw/workspace/skills` → evaluate → read SKILL.md → apply | |
Access to hidden dotfiles in home directory
| 245 | | User provides execution logs or data | Confirm with user → `skillnet create <file> -d ~/.openclaw/workspace/skills` → evaluate → read SKILL.md → apply | |
Access to hidden dotfiles in home directory
| 264 | --output-dir ~/.openclaw/workspace/skills --model <model-name> |
Access to hidden dotfiles in home directory
| 265 | skillnet evaluate ~/.openclaw/workspace/skills/<new-skill> --model <model-name> |
Access to hidden dotfiles in home directory
| 320 | API_KEY="..." BASE_URL="..." skillnet create --prompt "..." --output-dir ~/.openclaw/workspace/skills |
Access to hidden dotfiles in home directory
| 391 | skillnet download "https://github.com/.../langgraph-supervisor-template" -d ~/.openclaw/workspace/skills |
Access to hidden dotfiles in home directory
| 394 | ls -la ~/.openclaw/workspace/skills/langgraph-supervisor-template/ |
Access to hidden dotfiles in home directory
| 395 | head -20 ~/.openclaw/workspace/skills/langgraph-supervisor-template/SKILL.md |
Access to hidden dotfiles in home directory
| 397 | cat ~/.openclaw/workspace/skills/langgraph-supervisor-template/SKILL.md |
Access to hidden dotfiles in home directory
| 412 | skillnet create --github https://github.com/langchain-ai/langgraph --output-dir ~/.openclaw/workspace/skills |
Access to hidden dotfiles in home directory
| 413 | skillnet evaluate ~/.openclaw/workspace/skills/langgraph |
Access to hidden dotfiles in home directory
| 414 | cat ~/.openclaw/workspace/skills/langgraph/SKILL.md |
Access to hidden dotfiles in home directory
| 429 | --output-dir ~/.openclaw/workspace/skills |
Access to hidden dotfiles in home directory
| 430 | skillnet evaluate ~/.openclaw/workspace/skills/langgraph-code-pipeline |
Access to hidden dotfiles in home directory
| 488 | - **Local-only persistence**: Downloaded skill files are written to disk (`~/.openclaw/workspace/skills/`) as plain text. They do not receive any system permissions and are not auto-loaded on future s |
Prompting for API key/token input
| 258 | 3. If `API_KEY` is not configured → use the standard API_KEY ask template (see "Environment Variables & Credential Strategy"). |
Prompting for API key/token input
| 320 | API_KEY="..." BASE_URL="..." skillnet create --prompt "..." --output-dir ~/.openclaw/workspace/skills |
Prompting for API key/token input
| 334 | > I need an OpenAI-compatible API_KEY (used only for create/evaluate/analyze in this run). Optionally provide BASE_URL and model name (default gpt-4o). May I proceed with your key? |
External URL reference
| 293 | | `BASE_URL` | custom LLM endpoint | `https://api.openai.com/v1` | |
External URL reference
| 342 | > Would you like to use a custom LLM BASE_URL? (default `https://api.openai.com/v1`) |
External URL reference
| 356 | "BASE_URL": "https://api.openai.com/v1", |
External URL reference
| 410 | # to your configured LLM endpoint (https://api.openai.com/v1) using your API_KEY." |
External URL reference
| 452 | - **search / download**: Only the query string is sent to `https://api-skillnet.openkg.cn`. No local files, credentials, or personal data are transmitted. Downloaded content comes exclusively from `gi |
External URL reference
| 453 | - **create / evaluate / analyze**: Content is processed via the LLM endpoint you configure (`BASE_URL`, default: `https://api.openai.com/v1`). No data is sent to the SkillNet service for these operati |
External URL reference
| 454 | - **Local/air-gapped friendly**: Point `BASE_URL` to a local endpoint (e.g., `http://127.0.0.1:8000/v1` for vLLM, LM Studio, Ollama). |
External URL reference
| 477 | - **Before any `create` or `evaluate` call**, inform the user approximately how much data will be sent and to which endpoint (e.g., "~12K characters of skill content will be sent to https://api.openai |
External URL reference
| 478 | - **For sensitive content**, recommend using a local LLM endpoint (`BASE_URL=http://127.0.0.1:...`) to keep data on the user's machine. |
Install this skill with one command
/learn @zjunlp/skillnet