Zhihu CLI — 技能工具
v1.0.0Command-line tool for searching, reading, and interacting with Zhihu (知乎). Supports hot topics, content search, article reading, user info, and Browser Relay...
0· 487·1 当前·1 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's description matches a Zhihu CLI, but the instructions ask you to install an unvetted npm package and to auto-extract and store browser cookies (sensitive data) without explaining how—this mismatch and the lack of source metadata is concerning.
评估建议
Before installing or running this CLI, verify the npm package source and inspect its code: find the package author, repository, and homepage on npm. Understand exactly how 'zhihu login' extracts cookies (which browser files it reads) and whether cookies are stored or transmitted elsewhere; storing cookies in plain files (~/.zhihu-cookie) risks credential theft. Prefer safer authentication methods (OAuth or token-based) if available. If you must try it, run the npm package in an isolated environm...详细分析 ▾
⚠ 用途与能力
The skill claims to be a CLI for Zhihu which plausibly needs authentication, but the SKILL.md promotes an npm package that 'auto-extracts cookies from Chrome' and stores them in ~/.zhihu-cookie. The skill metadata declares no required config paths or credentials, so the implied need to access browser cookie stores is not documented or justified.
⚠ 指令范围
Runtime instructions tell users to npm install (or npx) an external package and to run 'zhihu login' which 'opens Chrome and extracts cookies automatically'. The docs also advise storing cookies in ~/.zhihu-cookie and include JS snippets for Browser Relay to click buttons. These steps involve reading sensitive local browser data and executing JS in a browser context—actions outside a simple read/search use-case and not fully explained.
⚠ 安装机制
There is no install spec bundled with the skill; SKILL.md instructs installing from the public npm registry (npm install -g zhihu-cli or npx). Installing an unvetted npm package from an unknown source (no homepage, no repository listed) is moderate-to-high risk because the package could perform arbitrary actions (including cookie extraction/exfiltration).
⚠ 凭证需求
The skill requests no environment variables but instructs handling of sensitive credentials (browser cookies) and persistent storage (~/.zhihu-cookie). Sensitive access is implied but not declared. There is no explanation about file protections, encryption, or what the cookie file contains/is used for—this is disproportionate to the metadata provided.
✓ 持久化与权限
The skill does not request always:true, does not claim to modify other skills or system-wide configs, and is user-invocable. No elevated platform-level privileges are requested in the metadata.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/8
Initial release
● 可疑
安装命令 点击复制
官方npx clawhub@latest install zhihu-cli
镜像加速npx clawhub@latest install zhihu-cli --registry https://cn.clawhub-mirror.com
技能文档
A CLI tool for interacting with Zhihu (知乎) content.
Installation
# Install globally
npm install -g zhihu-cli# Or use npx
npx zhihu-cli
Commands
| Command | Description |
|---|---|
zhihu login | Auto-extract cookies from Chrome |
zhihu whoami | Check login status |
zhihu set-cookie | Set cookie manually |
zhihu hot | Get hot topics |
zhihu search | Search content |
zhihu topics | Search topics |
zhihu read | Read answer/article |
zhihu user | Get user info by url_token |
zhihu vote | Browser Relay vote instructions |
zhihu follow [url] | Browser Relay follow instructions |
zhihu post | Browser Relay post instructions |
Features
- 🔍 Search Zhihu content
- 🔥 Get hot topics
- 📖 Read answers/articles
- 👤 View user info
- 👍 Vote (via Browser Relay)
- 👣 Follow users (via Browser Relay)
- 🔐 Auto cookie extraction from Chrome
Cookie Setup
Option 1: Auto (recommended)
zhihu login
Option 2: Manual
zhihu set-cookie "your_zhihu_cookie_string"
Browser Relay Operations
Some operations (vote, follow, post) require Browser Relay due to API limitations.
Setup
- Ensure OpenClaw Browser Relay is connected
- Use the respective command to get instructions
Voting
zhihu vote
const btn = document.querySelector('button[class*="VoteButton"]');
if (btn) btn.click();
Following
zhihu follow
API Limitations
Zhihu has restricted API access for:
- Vote/unvote (use Browser Relay)
- Follow/unfollow (use Browser Relay)
- Comments (partially available)
Read operations (search, hot, read, user) work via API.
Examples
# Get hot topics
zhihu hot# Search for Python tutorials
zhihu search Python教程
# Read an answer
zhihu read https://www.zhihu.com/question/123456/answer/789012
# Get user info
zhihu user lightislost
# Check login
zhihu whoami
Notes
- Cookie is stored in
~/.zhihu-cookie - Some features require login (votes, follows)
- Browser Relay provides more reliable write operations
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制