📦 xfg-zsxq-skills — 知识星球自动化
v2.3.0一键完成知识星球发帖、回帖、浏览、通知检查与定时任务,自动读取本地配置,用浏览器自动化实现高效社群运营。
1· 143·0 当前·0 累计
by 下载技能包
最后更新
2026/3/28
安全扫描
OpenClaw
安全
high confidenceNULL
评估建议
This skill is coherent with its stated purpose but it handles sensitive data: it asks you to paste your full 知识星球 Cookie (contains zsxq_access_token). Before installing or running: 1) Review the scripts yourself and only store cookies you trust this tool with; the tool saves them under ~/.xfg-zsxq/groups.json (recommend file mode 600 and only use on accounts you control). 2) Be aware browser automation requires installing puppeteer (package.json) or using the platform's browser actions; follow R...详细分析 ▾
✓ 用途与能力
The name/description describe automation for 知识星球 (post, reply, check notifications, cron). The repository includes scripts that implement those features and read/write ~/.xfg-zsxq/groups.json. Required capabilities (HTTP requests to api.zsxq.com, cookie-based auth, optional image upload to qiniu) match the stated purpose. There is a minor doc mismatch: SKILL.md mentions Playwright MCP for browser automation while package.json lists puppeteer as a dependency; this is a documentation/implementation inconsistency but does not indicate malicious behavior.
✓ 指令范围
SKILL.md and scripts instruct the agent/user to obtain and store the full site Cookie and to run local Node scripts. The runtime instructions explicitly reference only the knowledge-planet APIs, the local config path (~/.xfg-zsxq/groups.json), and the OpenClaw browser tooling for interactive automation. There are no instructions to read unrelated system files or to exfiltrate data to unexpected endpoints beyond api.zsxq.com and qiniu (used for image upload).
ℹ 安装机制
This is instruction- and script-based with no platform install spec. A package.json declares 'puppeteer' (heavy dependency) but there is no automated install step described; users will need to npm install if they want browser automation. Because no install script runs automatically, there's lower installer risk, but users should be aware that dependencies (puppeteer) are required for automated browser actions.
✓ 凭证需求
The skill requires the user's 知识星球 cookie (zsxq_access_token) stored in ~/.xfg-zsxq/groups.json and uses it to call api.zsxq.com. Requesting the cookie is proportionate to performing authenticated post/reply operations. The code stores configuration with file mode 0o600 (README claims permission 600), which is appropriate for sensitive tokens. No unrelated environment variables or unrelated service credentials are requested.
✓ 持久化与权限
always:false and no special OS-wide privileges are requested. Scripts read/write files under the user's home (~/.xfg-zsxq and cron-config.json) which is expected for a per-user automation tool. The cron-setup script writes a cron-config JSON and prints OpenClaw CLI commands but does not autonomously register system cron jobs or modify other skills' configurations.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv2.3.02026/3/28
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install xfg-zsxq-skills
镜像加速npx clawhub@latest install xfg-zsxq-skills --registry https://cn.longxiaskill.com