Skip to main content

Skills

Prerequisites

Feature Menu: Access to the AI Studio / Skill menu is required.

Operation Permission: Read and write access to AI Studio is required.

Model Configuration: At least one LLM must be added to the model list before importing a Skill, as it is required for import validation. If no model is available, the import process will prompt you to add one first.

Overview

  • Skill is a reusable unit that encapsulates specific operational capabilities within Bonree ONE AI Studio. Skills are either built in by the platform or imported by users from external sources. When executing tasks, Agents can invoke Skills to perform concrete actions such as sending notifications, creating tickets, or pushing logs — making Skills a key component for extending Agent capabilities. Skills can also be directly selected and invoked in Rui AI.
  • The platform supports two types of Skills: Built-in Skills are pre-installed and ready to use out of the box, though some require channel parameters to be configured before they can be called; Imported Skills are uploaded by users as zip/skill packages that conform to the OpenClaw specification, and are imported after passing LLM security and compliance validation. Imported Skills support editing and deletion.

Value

Ready to use, quickly extend Agent capabilities

Built-in Skills require no development. Once parameters are configured, they can be invoked directly by Agents, significantly lowering the barrier to extending Agent capabilities and enabling standardized, reusable operations workflows.

Open import to meet customized extension needs

Third-party Skills that conform to the OpenClaw specification can be imported into the platform. Users can freely extend the operational capability boundaries of their Agents according to actual business needs, without being limited to the built-in Skill catalog. Please ensure compliance with security standards when importing.

Centralized management to reduce maintenance overhead

All Skills — both built-in and imported — are displayed and managed in a unified list. Built-in Skills that require parameter configuration can be configured here; imported Skills can be edited and deleted. Agents reference Skills directly, eliminating the need for repeated configuration.

Per-Agent parameter override for differentiated configurations

Built-in Skills support setting Agent-specific parameters that override the global configuration, enabling the same Skill to use different destination addresses or credentials across different Agents.

Use Cases

The following scenarios are for reference only. It is recommended to define and invoke Agents based on your own usage patterns.

Alert Notification Push

After Agents such as fault diagnosis complete their analysis, they can invoke Skills like "Send DingTalk Notification" or "Send WeCom Notification" to automatically push diagnosis summaries and remediation recommendations to the operations group, eliminating manual relay and improving response speed.

Automated Ticket Creation

When an Agent determines that follow-up action is needed, it invokes the "Create Ticket" Skill to automatically submit a ticket to the internal ticketing system, pre-filled with alert information and suggested handling steps — enabling end-to-end automation from alert to ticket.

Operations Log Archiving

After an Agent completes an inspection or diagnostic task, it invokes the "Push Operations Log" Skill to automatically write the execution results to the internal logging system, creating a traceable operations record that supports post-incident audits and knowledge accumulation.

Custom Business Capability Integration

When built-in Skills do not meet specific business requirements, users can import self-developed or third-party Skill packages that conform to the OpenClaw specification. After validation, these Skills become available for Agents to invoke, enabling deep integration with internal systems.

Operation Scenarios

  • View Skill list: Browse all built-in and imported Skills in card format on the Skill list page. Use keyword search and source filters to quickly locate a target Skill.
  • View Skill details: Click a Skill card to open a detail drawer on the right side of the page, showing the complete information including name, description, source, configuration parameters (for built-in Skills), and file preview (for imported Skills).
  • Configure built-in Skill parameters: Click a built-in Skill card, then click the "Configure" button in the detail drawer. Fill in the required channel address, credentials, and other parameters and save. Once configured, the Skill can be normally invoked by Agents.
  • Import an external Skill: Click the "Import" button at the top of the Skill list page. Upload a zip package that conforms to the OpenClaw specification. The system uses an LLM to perform security and compliance validation. If validation passes, the Skill is imported automatically and pinned to the top; if validation fails, detailed failure reasons are shown and re-uploading is supported.
  • Edit an imported Skill: Click an imported Skill card, then click the "Edit" button in the detail drawer to modify the name, description, and other information. Built-in Skills do not support editing.
  • Invoke a Skill in an Agent: After adding a Skill in the Agent orchestration page, you can configure Agent-specific parameters to override the global configuration. If the Agent-specific parameters are empty, the global Skill configuration will be used at invocation time.

Getting Started

Viewing and Managing Skills

Log in to Bonree ONE.

Select AI Studio Skill from the left navigation to enter the Skill list page.

The list displays all built-in and imported Skills as cards, showing the name, description, source label, and configuration status.

Click any Skill card to view the complete details in the right-side drawer.

image-20260610174535747

Configuring a Built-in Skill

Find the built-in Skill to configure in the Skill list, and click the Configure button on the card to open the configuration drawer.

Fill in the required parameters such as channel address and credentials in the configuration area.

After saving, the Skill status changes to "Configured" and it can be normally invoked by Agents.

If a specific Agent needs to use different parameters (such as the Webhook address for a particular group), fill in Agent-specific parameters under that Skill in the Agent orchestration page to override the global configuration.

image-20260610174601311

Importing an External Skill

On the Skill list page, click the "Import" button.

In the form that appears, upload a Skill zip package that conforms to the OpenClaw specification, and fill in the name and description (defaults to the name/description fields from the package).

Click "Import". The system uses the LLM currently selected in Rui AI to perform security and compliance validation. If no model is configured, please go to the model list to add an LLM first.

If validation passes, the Skill is automatically imported and pinned to the top with a source label of "Imported".

If validation fails, the system displays detailed failure reasons. You can make corrections based on the prompts and re-upload.

image-20260610174641148

Import Validation Rules

1. ZIP Validity Checks

Check ItemDescription
Empty package bodyBlocked. No bytes inside the package.
Outer filename extensionBlocked. Uploaded filename must end with .zip or .skill (outer package name only).
Outer package sizeBlocked. Default limit 10MB; configured via skill.import.max_package_mb.
Unable to open zipBlocked. Not a valid zip file (BadZipFile).
No files in zipBlocked. No file entries inside the archive.
Encrypted zip entriesBlocked. Encrypted compressed entries are not supported.
Absolute path entriesBlocked. Member paths cannot start with / or be absolute paths.
Path contains ..Blocked. Path segments must not contain ...
Directory depth exceededBlocked. Default max 5 levels (nested after zip root); configured via Nacos max_dir_depth.
Single file too largeBlocked. Default uncompressed size limit per file 10MB; configured via Nacos max_single_file_mb.
High compression ratio (zip bomb)Blocked. Per-entry file_size/compress_size ratio must not exceed 50x by default; configured via Nacos max_compress_ratio.
Total uncompressed size exceededBlocked. Sum of uncompressed sizes of all files in package defaults to 100MB limit; configured via Nacos max_total_unzip_mb.

2. Skill-Vetter

Skill-Vetter uses an LLM to perform a static security review of the uploaded package according to the built-in skill-vetter protocol. The gateway only parses the VERDICT/NOTES in the final round of the report body and normalizes to "installable" before allowing the package through. The review is an offline static check and does not execute scripts inside the package being imported.

2.1 Prerequisites and Operating Conditions

Check ItemDescription
No LLM available for tenantBlocked.
Vetter call timeoutBlocked. Default timeout per review is 120 seconds.
Rate-limited / context exceeded with no fallback modelBlocked. Can automatically switch to another LLM for retry; fails after all options exhausted.
Other vetter call exceptionsBlocked. Non-retryable errors fail immediately.
Single file exceeds prompt token limitNot blocked. Max ~24,000 characters per file; excess is truncated and flagged.
Total prompt character budget exceededNot blocked. ~120,000 characters total; excess files marked as omitted.
Ignored directories/filesNot scanned. pycache / .git / .svn / node_modules / .DS_Store / .pyc etc. are skipped.

2.2 REJECT-Level Red Flags (DO NOT INSTALL upon detection)

Check ItemDescription
curl/wget to unknown URLBlocked. Includes downloading from unknown addresses.
Sending data to external serversBlocked. Data exfiltration behavior.
Requesting credentials / token / API keyBlocked. Inducing collection of keys.
Reading ~/.ssh, ~/.aws, ~/.config without clear reasonBlocked. Sensitive directory access.
Accessing MEMORY.md / USER.md / SOUL.md / IDENTITY.mdBlocked. Agent private memory files.
Base64-decoding arbitrary contentBlocked. Common obfuscation/payload technique.
eval() / exec() with external inputBlocked. Arbitrary code execution.
Modifying system files outside workspaceBlocked. Out-of-scope disk writes.
Installing dependencies without listing themBlocked. Covert installation behavior.
Network requests using IP instead of domainBlocked. Suspicious C2 characteristic.
Obfuscated code (compressed/encoded/minified to hide intent)Blocked.
Requesting sudo / privilege escalationBlocked.
Accessing browser cookies / sessionBlocked.
Touching credential filesBlocked. e.g. id_rsa, .env, docker/config.json, kubeconfig, etc.

2.3 Extended High-Risk Command Patterns (Full Package Scan Required)

Check ItemDescription
Destructive file operationsBlocked. rm -rf, del /f /s /q, Remove-Item -Recurse -Force, shred, etc.
Disk / filesystem operationsBlocked. dd if=, mkfs, fdisk, diskpart, format, etc.
Privilege escalation / persistenceBlocked. sudo, runas, crontab, schtasks, systemctl enable, reg add, etc.
Arbitrary code executionBlocked. eval, exec, bash -c, powershell -Command, python -c (with external input), etc.
Download and executeBlocked. curl|sh, wget|sh, Invoke-WebRequest|iex, certutil download, etc.
Credential / key harvestingBlocked. Reading ~/.ssh/*, id_rsa, known_hosts, .env, etc.
Exfiltration channelsBlocked. nc/ncat/socat, scp/rsync to unknown hosts, anomalous webhooks, etc.
Firewall / network tamperingBlocked. iptables, ufw, netsh advfirewall, DNS/route manipulation, etc.
Multiple similar commandsBlocked. Any single REJECT-level hit causes denial; all occurrences across the entire package must be scanned.

2.4 Source, Permissions, and OAuth Assessment

Check ItemDescription
Source trustworthiness evaluationNot blocked. Reviews source/author/repo/update time; official ClawdHub listing does not automatically mean safe.
OAuth / SaaS documentationNot blocked. Documentation instructs users to set up their own GOOGLE_* / AZURE_* credentials with least-privilege access typically INSTALL WITH CAUTION.
Hardcoded keys / inducing token pasteBlocked. Requires keys to be written into the repo or sent to untrusted endpoints.
Broad OAuth granted solely for authorizationNot blocked. Broad OAuth for Gmail/Drive etc. defaults to MEDIUM~HIGH; if documentation is clear, it is CAUTION rather than outright rejection.
curl|sh combined with OAuth documentationBlocked. Documented OAuth combined with download-and-execute chain is high risk.

3. File Validation Inside the ZIP Package

Validation is performed by reading zip entries before extracting to disk (rule-based, not LLM).

3.1 SKILL.md Validation

Check ItemDescription
Filename casingBlocked. Must be exactly "SKILL.md"; skill.md and other variants do not match.
Primary manifest must existBlocked. Must be SKILL.md in the zip root, or top-dir/SKILL.md under the single top-level directory; SKILL.md deeper in the tree cannot serve as the primary manifest.
Multiple SKILL.md filesThe shallowest path is used as the primary manifest (same depth: lexicographic order); no separate error is raised.
Flat package structureIf SKILL.md exists in the zip root, multiple top-level items (e.g. scripts/, references/) are allowed; the top-level folder name need not match the slug.
Single-folder package structureIf there is no SKILL.md in the root, all files must be under one top-level directory; blocked if multiple top-level directories exist.
Single-folder top-level directory nameBlocked. Top-level directory name must equal the slug in SKILL.md (or the name field if slug is not set).
SKILL.md encodingBlocked. Must be UTF-8.
YAML front matterBlocked. Fields such as name and description at the start of the file must be enclosed in --- ... ---; the enclosed content must be valid YAML metadata.
nameBlocked. Required; max 64 characters; regex ^[a-z0-9]+(?:-[a-z0-9]+)*$ (starts with digit or lowercase letter; allows lowercase letters / digits / hyphens; no leading/trailing hyphens or consecutive hyphens; must exactly match the top-level folder name).
slugIf provided, follows the same rules as name; defaults to name if not set.
descriptionBlocked. Required; 1-1024 characters.

3.2 File Extension Whitelist Validation

Check ItemDescription
Allowed file extensions (default 31 types).cfg .cjs .conf .css .csv .gif .htm .html .ico .ini .jpeg .jpg .js .json .jsx .md .mjs .png .py .rst .sh .sql .svg .toml .ts .tsv .tsx .txt .webp .yaml .yml
Allowed extension-less fileslicense / copying / makefile / dockerfile / gemfile / rakefile / procfile / jenkinsfile (case-insensitive)
Allowed dot config files.gitignore / .dockerignore / .editorconfig / .npmrc / .nvmrc (full filename match)
SKILL.mdExempt from the extension whitelist, but must still satisfy all rules in Section 3.1.
Ignore list (not blocked; deleted after extraction)MACOSX/ / pycache__ / .git / .svn / .DS_Store / desktop.ini / Thumbs.db / ._* / .pyc / .pyo; skipped during validation and do not count as allowed types.
Double-extension filesOnly the last extension is recognized, e.g. archive.tar.gz is treated as .gz; blocked by default if not in the whitelist.
Extension not in whitelistBlocked. e.g. .exe / .pdf / .zip / .ps1 / .env etc.; can be extended via Nacos skill.import.allowed_suffix.

3.3 Script Dangerous Content Scan (Rule Engine)

Check ItemDescription
Scan scopeOnly .sh / .py / .js / .mjs / .cjs / .ts / .tsx / .jsx files with size; .md / .json and other documents are not scanned.
.sh scriptsBlocked. High-risk patterns such as rm -rf, curl|sh, mkfs, dd, chattr, etc.
Code filesBlocked. Patterns such as os.system, subprocess(shell=True), eval, exec, child_process, etc.
Sensitive path / key referencesBlocked. Patterns such as /etc/shadow, ~/.ssh, PRIVATE KEY, etc.

3.4 Extraction and Other Checks

Check ItemDescription
Extraction path safetyBlocked. Absolute paths, .., and extraction targets that escape the directory are prohibited.
SKILL.md missing after extractionBlocked. SKILL.md must exist after flattening into the skill directory.
Duplicate slug in same environmentBlocked. slug must be unique per account_id + env_id.
Conflict with built-in skillBlocked. name and slug must not duplicate any globally built-in skill.
iconBlocked if invalid. Empty passes; a short string with no injection characteristics passes; otherwise must be a valid base64-encoded image.
Authorization dimensionsBlocked. account_id, env_id, and resource_zone_id are all required.