skill-install
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSkill Install
Claude技能安装
Overview
概述
Install Claude skills from GitHub repositories with built-in security scanning to protect against malicious code, backdoors, and vulnerabilities.
通过内置安全扫描从GitHub仓库安装Claude技能,防范恶意代码、后门和漏洞。
When to Use
使用场景
Trigger this skill when the user:
- Provides a GitHub repository URL and wants to install skills
- Asks to "install skills from GitHub"
- Wants to browse and select skills from a repository
- Needs to add new skills to their Claude environment
当用户出现以下需求时触发此技能:
- 提供GitHub仓库URL并想要安装技能
- 要求“从GitHub安装技能”
- 想要浏览并选择仓库中的技能
- 需要为其Claude环境添加新技能
Workflow
工作流程
Step 1: Parse GitHub URL
步骤1:解析GitHub URL
Accept a GitHub repository URL from the user. The URL should point to a repository containing a directory.
skills/Supported URL formats:
https://github.com/user/repohttps://github.com/user/repo/tree/main/skillshttps://github.com/user/repo/tree/branch-name/skills
Extract:
- Repository owner
- Repository name
- Branch (default to if not specified)
main
接收用户提供的GitHub仓库URL。该URL应指向包含目录的仓库。
skills/支持的URL格式:
https://github.com/user/repohttps://github.com/user/repo/tree/main/skillshttps://github.com/user/repo/tree/branch-name/skills
提取信息:
- 仓库所有者
- 仓库名称
- 分支(未指定时默认使用)
main
Step 2: Fetch Skills List
步骤2:获取技能列表
Use the WebFetch tool to retrieve the skills directory listing from GitHub.
GitHub API endpoint pattern:
https://api.github.com/repos/{owner}/{repo}/contents/skills?ref={branch}Parse the response to extract:
- Skill directory names
- Each skill should be a subdirectory containing a SKILL.md file
使用WebFetch工具从GitHub获取技能目录列表。
GitHub API端点格式:
https://api.github.com/repos/{owner}/{repo}/contents/skills?ref={branch}解析响应以提取:
- 技能目录名称
- 每个技能应为包含SKILL.md文件的子目录
Step 3: Present Skills to User
步骤3:向用户展示技能
Use the AskUserQuestion tool to let the user select which skills to install.
Set to allow multiple selections.
multiSelect: truePresent each skill with:
- Skill name (directory name)
- Brief description (if available from SKILL.md frontmatter)
使用AskUserQuestion工具让用户选择要安装的技能。
设置以支持多选。
multiSelect: true展示每个技能时包含:
- 技能名称(目录名称)
- 简要描述(如果SKILL.md的前置元数据中存在)
Step 4: Fetch Skill Content
步骤4:获取技能内容
For each selected skill, fetch all files in the skill directory:
- Get the file tree for the skill directory
- Download all files (SKILL.md, scripts/, references/, assets/)
- Store the complete skill content for security analysis
Use WebFetch with GitHub API:
https://api.github.com/repos/{owner}/{repo}/contents/skills/{skill_name}?ref={branch}For each file, fetch the raw content:
https://raw.githubusercontent.com/{owner}/{repo}/{branch}/skills/{skill_name}/{file_path}对于每个选中的技能,获取技能目录中的所有文件:
- 获取技能目录的文件树
- 下载所有文件(SKILL.md、scripts/、references/、assets/)
- 存储完整的技能内容以进行安全分析
使用WebFetch调用GitHub API:
https://api.github.com/repos/{owner}/{repo}/contents/skills/{skill_name}?ref={branch}对于每个文件,获取原始内容:
https://raw.githubusercontent.com/{owner}/{repo}/{branch}/skills/{skill_name}/{file_path}Step 5: Security Scan
步骤5:安全扫描
CRITICAL: Before installation, perform a thorough security analysis of each skill.
Read the security scan prompt template from and apply it to analyze the skill content.
references/security_scan_prompt.mdExamine for:
- Malicious Command Execution - eval, exec, subprocess with shell=True
- Backdoor Detection - obfuscated code, suspicious network requests
- Credential Theft - accessing ~/.ssh, ~/.aws, environment variables
- Unauthorized Network Access - external requests to suspicious domains
- File System Abuse - destructive operations, unauthorized writes
- Privilege Escalation - sudo attempts, system modifications
- Supply Chain Attacks - suspicious package installations
Output the security analysis with:
- Security Status: SAFE / WARNING / DANGEROUS
- Risk Level: LOW / MEDIUM / HIGH / CRITICAL
- Detailed findings with file locations and severity
- Recommendation: APPROVE / APPROVE_WITH_WARNINGS / REJECT
关键: 安装前,对每个技能进行全面的安全分析。
从读取安全扫描提示模板,并将其应用于技能内容分析。
references/security_scan_prompt.md检查内容包括:
- 恶意命令执行 - eval、exec、使用shell=True的subprocess
- 后门检测 - 混淆代码、可疑网络请求
- 凭据窃取 - 访问~/.ssh、~/.aws、环境变量
- 未授权网络访问 - 向可疑域名发起外部请求
- 文件系统滥用 - 破坏性操作、未授权写入
- 权限提升 - 尝试使用sudo、修改系统设置
- 供应链攻击 - 可疑的包安装
安全分析输出应包含:
- 安全状态:安全(SAFE)/ 警告(WARNING)/ 危险(DANGEROUS)
- 风险等级:低(LOW)/ 中(MEDIUM)/ 高(HIGH)/ 严重(CRITICAL)
- 包含文件位置和严重程度的详细发现
- 建议:批准(APPROVE)/ 带警告批准(APPROVE_WITH_WARNINGS)/ 拒绝(REJECT)
Step 6: User Decision
步骤6:用户决策
Based on the security scan results:
If SAFE (APPROVE):
- Proceed directly to installation
If WARNING (APPROVE_WITH_WARNINGS):
- Display the security warnings to the user
- Use AskUserQuestion to confirm: "Security warnings detected. Do you want to proceed with installation?"
- Options: "Yes, install anyway" / "No, skip this skill"
If DANGEROUS (REJECT):
- Display the critical security issues
- Refuse to install
- Explain why the skill is dangerous
- Do NOT provide an option to override for CRITICAL severity issues
根据安全扫描结果处理:
如果安全(批准):
- 直接进入安装流程
如果警告(带警告批准):
- 向用户显示安全警告
- 使用AskUserQuestion工具确认:“检测到安全警告。是否继续安装?”
- 选项:“是,仍要安装” / “否,跳过此技能”
如果危险(拒绝):
- 显示严重安全问题
- 拒绝安装
- 解释该技能危险的原因
- 对于严重(CRITICAL)等级的问题,不提供覆盖选项
Step 7: Install Skills
步骤7:安装技能
For approved skills, install to :
~/.claude/skills/- Create the skill directory:
~/.claude/skills/{skill_name}/ - Write all skill files maintaining the directory structure
- Ensure proper file permissions (executable for scripts)
- Verify SKILL.md exists and has valid frontmatter
Use the Write tool to create files.
对于已批准的技能,安装到:
~/.claude/skills/- 创建技能目录:
~/.claude/skills/{skill_name}/ - 保留目录结构写入所有技能文件
- 确保正确的文件权限(脚本设置为可执行)
- 验证SKILL.md存在且具有有效的前置元数据
使用Write工具创建文件。
Step 8: Confirmation
步骤8:确认
After installation, provide a summary:
- List of successfully installed skills
- List of skipped skills (if any) with reasons
- Location:
~/.claude/skills/ - Next steps: "The skills are now available. Restart Claude or use them directly."
安装完成后,提供摘要:
- 成功安装的技能列表
- 已跳过的技能列表(如有)及原因
- 安装位置:
~/.claude/skills/ - 后续步骤:“技能现已可用。重启Claude或直接使用。”
Example Usage
使用示例
User: "Install skills from https://github.com/example/claude-skills"
Assistant:
- Fetches skills list from the repository
- Presents available skills: "skill-a", "skill-b", "skill-c"
- User selects "skill-a" and "skill-b"
- Performs security scan on each skill
- skill-a: SAFE - proceeds to install
- skill-b: WARNING (makes HTTP request) - asks user for confirmation
- Installs approved skills to ~/.claude/skills/
- Confirms: "Successfully installed: skill-a, skill-b"
助手:
- 从仓库获取技能列表
- 展示可用技能:“skill-a”、“skill-b”、“skill-c”
- 用户选择“skill-a”和“skill-b”
- 对每个技能执行安全扫描
- skill-a:安全 - 继续安装
- skill-b:警告(发起HTTP请求) - 向用户确认
- 将已批准的技能安装到~/.claude/skills/
- 确认:“已成功安装:skill-a、skill-b”
Security Notes
安全注意事项
- Never skip security scanning - Always analyze skills before installation
- Be conservative - When in doubt, flag as WARNING and let user decide
- Critical issues are blocking - CRITICAL severity findings cannot be overridden
- Transparency - Always show users what was found during security scans
- Sandboxing - Remind users that skills run with Claude's permissions
- 切勿跳过安全扫描 - 安装前务必对技能进行分析
- 保持谨慎 - 存疑时标记为警告并让用户决策
- 严重问题会阻止安装 - 严重(CRITICAL)等级的发现无法被覆盖
- 保持透明 - 始终向用户展示安全扫描中发现的问题
- 沙箱提醒 - 提醒用户技能将以Claude的权限运行
Resources
资源
references/security_scan_prompt.md
references/security_scan_prompt.md
Contains the detailed security analysis prompt template with:
- Complete list of security categories to check
- Output format requirements
- Example analyses for safe, suspicious, and dangerous skills
- Decision criteria for APPROVE/REJECT recommendations
Load this file when performing security scans to ensure comprehensive analysis.
包含详细的安全分析提示模板,内容包括:
- 需检查的完整安全类别列表
- 输出格式要求
- 安全、可疑和危险技能的分析示例
- 批准/拒绝建议的决策标准
执行安全扫描时加载此文件,以确保分析全面。