AI 关系匹配助手的中心化匹配引擎。作为一个独立的 OpenClaw 实例运行,通过内部群组与所有用户的个人 Agent 通信。负责接收用户画像标签摘要、维护全局用户注册表、执行双向匹配算法(处境一致性 + 能力互补性)、监控匹配阈值、在达标时向相关个人 Agent 发送匹配通知、协调双方确认流程、以及收集匹配反馈用于算法优化。当群组中出现新消息、或到了定时匹配扫描的时间时,本 skill 应被触发。
Security Analysis
medium confidenceThe SKILL.md describes a reasonable centralized matching engine, but its runtime instructions assume access to LLM/embedding APIs, a ChromaDB instance, cron/scheduling, and read/write access to ~/.matchbot-engine without declaring credentials, dependencies, or install steps — these gaps are inconsistent and deserve clarification before use.
The described purpose (centralized matching engine) plausibly requires storing user profiles, running matching logic, and sending messages to personal Agents. However, the skill's metadata declares no required env vars, binaries, or install steps while the instructions clearly require: (1) an embedding API / LLM API, (2) a ChromaDB vector database, (3) the ability to send/receive messages on an internal group channel, and (4) persistent filesystem access under ~/.matchbot-engine. The absence of any declared credentials, endpoints, or dependency list is disproportionate to the actual runtime needs.
SKILL.md instructs the agent to read/write local files (~/.matchbot-engine/registry.json, match_history.json, chromadb dir), to call embedding and LLM APIs for scoring, to upsert vectors into ChromaDB, to send/receive structured messages (HEARTBEAT, PROFILE_UPDATE, MATCH_FOUND, etc.), and to run periodic cron jobs. All of those are within what a matching engine would do, but they involve handling sensitive user profile data and require explicit instructions about which APIs/endpoints/credentials to use. The SKILL.md also references external spec files (references/message-protocol.md, references/matching-algorithm.md) that are not provided; that leaves runtime behavior underspecified and gives the agent wide discretion (e.g., which LLM/embedding provider to call and what data to send).
This is an instruction-only skill (no install spec and no code files). That lowers immediate supply-chain risk, but it also means the instructions assume preinstalled components (ChromaDB, embedding/LLM client libraries, cron integration). The skill does not document how to install or configure those components. Lack of an install/packaging plan is an operational gap that increases the chance of misconfiguration or accidental use of unapproved APIs.
The SKILL.md requires access to sensitive user profile data and to external LLM/embedding services, but the registry metadata declares no required environment variables or primary credential. In practice the skill needs credentials (API keys/tokens) for any cloud LLM/embedding provider and possibly connection info for ChromaDB or messaging channels. Asking for none in the manifest is inconsistent and obscures what secrets will be needed and where they might be stored or used.
The skill expects to persist state under ~/.matchbot-engine (registry, history, ChromaDB files) and to be scheduled via cron every 6 hours, etc. It does not set always:true and does not claim to modify other skills; persistence is reasonable for this service. However, persisting full user profiles centrally increases privacy risk and requires explicit retention, access control, encryption, and deletion policies which are not documented in SKILL.md.
Guidance
Before installing or running this skill, get answers to these questions and take these steps: - Clarify required dependencies and credentials: which LLM/embedding provider(s) will be used, and what environment variables or API keys are required? Where are those keys stored and who can access them? - Ask for an install spec or code: provide the missing references (message-protocol.md, matching-algorithm.md) and any scripts or container images used to run ChromaDB and the engine so you can review them. - Confirm communication channels: how does the engine authenticate to the internal group and personal Agents? What endpoints or tokens are used to send MATCH_FOUND / MATCH_CONFIRMED messages? - Audit data handling: request a clear data retention and deletion policy for ~/.matchbot-engine, how sensitive fields are filtered per disclosure_settings, and whether persisted files are encrypted and access-controlled. - Run in an isolated environment: until you trust the implementation, run it in a dedicated VM or container with limited network access and limited filesystem mounts (not your full home dir). - Require least privilege: ensure LLM/embedding credentials have minimal scope and logging is enabled to track what external calls are made and which data was sent. - If you cannot obtain clear answers or code, treat the skill as risky: do not grant it access to real user data or production secrets; prefer a vetted implementation from a known source.
Latest Release
v1.0.0
Initial release of the matching-engine centralized matching skill. - Implements a centralized AI-driven relationship matching engine for 30 users’ personal Agents. - Maintains a global user registry, complete match history, and stores user vector embeddings in ChromaDB by skill, interest, goal, challenge, and basic info. - Processes group messages for heartbeats, profile updates, match responses, and feedback—while providing detailed, observable log messages. - Performs event-driven and scheduled (every 6 hours) full-pool match calculations, combining vector similarity and LLM-based evaluations (consistency & complementarity). - Strictly enforces user disclosure settings when sharing profile information during matches. - Manages confirmation workflow and sends personalized introductions (icebreakers) upon both users accepting a match. - Provides comprehensive operational logs and summary metrics for transparency and debugging.
Popular Skills
Published by @FreeAI-io on ClawHub
