ClawHub

Skillminer

v0.5.3

Suggest reusable skills from recurring patterns in local memory files. Human review gate, drafts only to skills/_pending/, local-first runner with optional e...

0· 186·0 current·0 all-time
byRobby@robbyczgw-cla
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description, scripts, and prompts consistently implement a local memory scanner + draft writer that writes to state/ and skills/_pending/. Required binaries (bash, jq, git, openclaw, flock, date) match the implementation. One small mismatch: metadata lists subprocess 'claude' while capabilities.network is set to false — the package supports an optional FORGE_RUNNER=claude fallback that will send prompt data off-host if explicitly enabled by the user; this is documented, but the capability block could more clearly reflect optional network egress.
Instruction Scope
SKILL.md and the included prompts/scripts limit operations to reading memory/ and writing state/ and skills/_pending/. Prompts explicitly forbid executing memory contents, auto-activation, and sending notifications from inside the prompts. The wrapper-and-prompt model is explicit and scoped; the scripts perform locking, atomic writes, slug validation, and secret-scrubbing before persistence.
Install Mechanism
No install spec is declared (instruction-only in registry) and the repository contains shell scripts and a setup.sh. No remote downloads or obscure third-party install URLs are present in the manifest. The README suggests cloning from GitHub for manual install, which is a normal, low-risk pattern.
Credentials
The skill requires no environment credentials and declares no required env vars. It reads local memory files (by design), which may contain secrets; the project includes conservative redaction via scripts/lib/secret-scrub.sh and externalized patterns. Users should note scrubbing is defense-in-depth, not a guarantee. Optional runtime choice FORGE_RUNNER=claude will send prompt data to Anthropic if enabled; this is opt-in and documented, but it is the only path that would cause networked credential exposure.
Persistence & Privilege
always:false and no system-wide permanent privileges requested. The skill writes to its own workspace paths (state/, skills/_pending/, skills/_rejected/) and uses flock-based locking. It does not attempt to modify other skills or global agent configuration. Nested agent invocation (openclaw by default) is expected for this functionality.
Assessment
This skill appears to do what it says: scan your local OpenClaw memory files, surface recurring patterns, and draft candidate SKILL.md files into skills/_pending/ for your review. Before installing or enabling scheduled runs: 1) run a manual scan (scripts/run-nightly-scan.sh) and inspect state/review/ and state/logs/ to confirm behavior; 2) review scripts/lib/secret-patterns.tsv and scripts/lib/secret-scrub.sh so you understand what is redacted — do not rely solely on scrubbing for sensitive data protection; 3) keep FORGE_RUNNER unset unless you explicitly accept that prompt data will be sent to Anthropic (the default is local-only); and 4) check that the required binaries (openclaw, jq, git, flock, bash) are present and that you are comfortable allowing the skill to read your memory/ directory. The only minor inconsistency is the metadata's inclusion of 'claude' as an allowed subprocess while capabilities.network is false — this is explainable by the documented opt-in fallback but worth noting.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsjq, bash, date, git, openclaw, flock
latestvk9793fgt1hj0fqz0aph1d303yx859fga
186downloads
0stars
24versions
Updated 1d ago
v0.5.3
MIT-0
Robby@robbyczgw-cla
latest
Download

skillminer ⚒️

Your AI assistant keeps solving the same problems. skillminer notices and suggests turning them into reusable skills.

skillminer watches your local memory files, spots recurring work, and surfaces the patterns worth keeping. No auto-activation, no cloud sync, no noise by default. A morning suggestion in your inbox when something actually deserves to become a skill.

Trust model

  • Human gate first, always. Nothing ships without your explicit accept.
  • Drafts go to skills/_pending/<slug>/, never to live skills.
  • Default runner is local OpenClaw. No data leaves the host.
  • FORGE_RUNNER=claude is an opt-in external fallback that sends prompt data to Anthropic's API.
  • Notifications are off by default; review files are written locally regardless.

Flow

nightly scan   reads recent memory/YYYY-MM-DD.md files
               detects recurring task patterns
               writes a review file to state/review/
               ↓
YOU DECIDE     forge accept / reject / defer / silence
               ↓
morning write  drafts a SKILL.md into skills/_pending/<slug>/
               you review it, promote it, ship it

Nothing goes live automatically. You stay in control at every step.

Quick start

openclaw skills install skillminer
cd "${CLAWD_DIR:-$HOME/clawd}/skills/skillminer"
bash setup.sh
CLAWD_DIR="${CLAWD_DIR:-$HOME/clawd}" bash scripts/run-nightly-scan.sh

If the manual scan looks good, add the printed scheduler jobs using the dispatcher prompts.

Environment

  • CLAWD_DIR — optional, defaults to ~/clawd
  • FORGE_RUNNER — defaults to openclaw (local). Set to claude only if you accept that prompt data leaves the host.

Commands

forge is the command prefix.

  • forge show — list current candidates
  • forge review — open the latest review file
  • forge accept <slug> — accept a candidate for the next morning write
  • forge reject <slug> "reason" — reject permanently
  • forge defer <slug> "reason" — defer with cooldown
  • forge silence <slug> "reason" — silence without cooldown
  • forge unsilence <slug> — resurface a silenced entry
  • forge promote <slug> — move a pending draft into live skills

Manual triggers

When you want a one-shot run without remembering full paths:

skillminer scan     # run nightly scan now
skillminer write    # run morning write now
skillminer full     # scan + write in sequence
skillminer status   # show current ledger state
skillminer help     # show usage

Security

  • Slug validation gates every filesystem-path boundary (regex-enforced)
  • Atomic state writes with backup rotation and JSON validation
  • flock-based single-instance guarantee across all entry points
  • Memory files are treated as untrusted data in the nightly scan prompt

See README.md and USER_GUIDE.md for full docs.

Comments

Loading comments...