Skill Auto-Installer
Automatically discover, evaluate, validate, and install new PopeBot skills from GitHub repositories.
Quick Start
Discover skills from a GitHub repo
node /job/.pi/skills/skill-autoinstaller/discover.js --repo zeroclaw-labs/zeroclaw
Evaluate a specific skill
node /job/.pi/skills/skill-autoinstaller/evaluate.js --path /tmp/skills/awesome-skill
Install a skill
node /job/.pi/skills/skill-autoinstaller/install.js --path /tmp/skills/awesome-skill
Full pipeline: discover → evaluate → install
node /job/.pi/skills/skill-autoinstaller/pipeline.js --repo openclaw/openclaw --pattern "skills/*"
Commands
discover.js
Scans a GitHub repository for potential skills.
Scan by repo
node /job/.pi/skills/skill-autoinstaller/discover.js --repo zeroclaw-labs/zeroclaw
Scan local directory
node /job/.pi/skills/skill-autoinstaller/discover.js --dir /path/to/repo
With search pattern
node /job/.pi/skills/skill-autoinstaller/discover.js --repo openclaw/openclaw --pattern "skills/*"
JSON output
node /job/.pi/skills/skill-autoinstaller/discover.js --repo zeroclaw-labs/zeroclaw --json
evaluate.js
Performs security audit and compatibility check on a skill directory.
Evaluate skill
node /job/.pi/skills/skill-autoinstaller/evaluate.js --path /tmp/skills/my-skill
With security audit
node /job/.pi/skills/skill-autoinstaller/evaluate.js --path /tmp/skills/my-skill --security
JSON output
node /job/.pi/skills/skill-autoinstaller/evaluate.js --path /tmp/skills/my-skill --json
install.js
Installs a validated skill into PopeBot.
Install skill
node /job/.pi/skills/skill-autoinstaller/install.js --path /tmp/skills/my-skill
With activation
node /job/.pi/skills/skill-autoinstaller/install.js --path /tmp/skills/my-skill --activate
Dry run
node /job/.pi/skills/skill-autoinstaller/install.js --path /tmp/skills/my-skill --dry-run
pipeline.js
Runs the full discovery → evaluation → installation pipeline.
Full pipeline
node /job/.pi/skills/skill-autoinstaller/pipeline.js --repo zeroclaw-labs/zeroclaw
With pattern matching
node /job/.pi/skills/skill-autoinstaller/pipeline.js --repo openclaw/openclaw --pattern "skills/*"
Interactive mode
node /job/.pi/skills/skill-autoinstaller/pipeline.js --repo zeroclaw-labs/zeroclaw --interactive
Security Audit Checks
The evaluator performs these security checks (inspired by ZeroClaw's audit system):
-
Manifest Validation: SKILL.md must exist with valid frontmatter
-
Path Traversal: No .. in paths or symlinks outside sandbox
-
Dangerous Patterns: No eval, exec, child_process without sandboxing
-
Secret Handling: No hardcoded credentials
-
Network Calls: External calls must be intentional and documented
-
File Operations: Write operations must be confined to /job/tmp/ or skill directory
-
Permission Model: Skills declare required permissions in metadata
Skill Metadata Format
Skills should include this metadata in SKILL.md frontmatter:
name: skill-name description: What the skill does homepage: https://github.com/author/skill metadata: { "popebot": { "emoji": "🔧", "requires": { "bins": ["node", "git"] }, "permissions": ["network", "filesystem"], "install": [ { "id": "npm", "kind": "npm", "package": "@scope/package", "bins": ["tool"], "label": "Install tool (npm)", }, ], }, }
Installation Strategies
The auto-installer supports multiple installation methods:
-
npm: npm install -g package
-
brew: brew install formula
-
apt: apt-get install package
-
pip: pip install package
-
go: go install package@latest
-
binary: Download from release URL
-
script: Run installation script
-
source: Build from source
Error Handling
-
Failed discovery: Returns empty list with error message
-
Failed evaluation: Skill marked as "incompatible" with reasons
-
Failed installation: Rollback to previous state, detailed error log
Output Formats
All commands support --json for machine-readable output:
{ "status": "success", "skills": [ { "name": "skill-name", "path": "/tmp/skills/skill-name", "evaluation": { "passed": true, "score": 95 }, "installed": true } ] }