Build a visual operating cockpit for an AI-native one-person company across promise, buyer, product, delivery, cash, learning, and assets. / 为 AI 一人公司建立可视化经营...
Security Analysis
high confidenceThe package and runtime instructions are consistent with its stated purpose (building a local, founder-approved workspace and operating cockpit); required resources and behaviors are proportional and documented, with no obvious attempt to access unrelated secrets or system components.
The name/description match the repository contents: many scripts and templates exist to generate a localized operating cockpit, SVG visuals, markdown/DOCX outputs, and a hidden machine state. Platform adapter wrappers and a local MCP stdio server are present to enable integration but are described in changelogs and publishing docs, which is consistent with a multi-adapter distribution package.
SKILL.md limits runtime actions to: (1) run bundled Python scripts with an existing Python 3.7+, (2) create files only inside a founder-approved workspace, and (3) avoid auto-installing system packages or requesting unrelated credentials. Recommended commands and the README follow that scope. There are no instructions in SKILL.md that ask the agent to read unrelated host files or exfiltrate secrets.
No install spec is declared (instruction-only at marketplace level). The package contains many scripts and platform adapters but does not prescribe downloading or extracting remote binaries. This is proportionate for a repository intended to be run locally after review.
The skill declares no required environment variables or credentials for normal operation, which aligns with SKILL.md claims. However, the repository contains platform adapters (Claude, Dify, OpenAI, Dify plugin provider, MCP server, etc.). Those adapters may require platform-specific API keys or host configuration when used — but they are optional runtime paths and the package does not force them. Users should expect that enabling platform-specific adapters will require supplying the appropriate credentials at that time.
The package writes files to a local workspace (explicitly constrained by the SKILL.md and scripts). always:false and model invocation enabled are appropriate. The package includes a local MCP stdio server (platforms/mcp-server/server.py) that exposes script entrypoints to local clients; this is consistent with a local integration adapter but means the host may run a listening process if you start it.
Guidance
This package appears coherent with its purpose, but review and basic precautions are recommended before running: 1) Inspect scripts/ensure_python_runtime.py, platforms/mcp-server/server.py, and platform adapter files (platforms/dify-plugin/provider/one_person_company_os.py) to confirm you understand any network/listening behavior. 2) Run the scripts only in an isolated or empty folder (or container/VM) until you confirm outputs are safe and confined to the approved workspace path. 3) The repository includes optional platform adapters — only provide API keys or enable adapters if you intend to publish or connect to external services. 4) If you plan to run the MCP server, be aware it can open a local endpoint; bind it appropriately and avoid exposing it to untrusted networks. 5) If you want extra assurance, run python3 -m pip check / static linters or open the code for a short review of I/O and subprocess usage before executing.
Latest Release
v1.0.2
Add multi-platform adapters for Claude Skills, Hermes Agent, MCP clients, OpenAI GPT Store, Dify, Poe, Gemini Gems, GitHub Copilot Extensions, and Microsoft Copilot Studio.
Popular Skills
Published by @living-hi on ClawHub
