📦 Zsxq — 知识星球

v0.1.0

Shared知识星球 CLI 共享基础：认证登录（auth login/logout）、查看认证状态、诊断配置。当用户需要首次登录、退出登录、查看认证状态、或遇到认证错误时触发。

0· 20·0 当前·0 累计

by @zhuguojie-unnoo

命令行工具日志追踪

下载技能包

最后更新

2026/4/19

安全扫描

VirusTotal

无害

查看报告

OpenClaw

可疑

medium confidence

该技能的说明与 CLI auth helper 相符，但缺少 provenance、元数据与所需二进制文件不匹配，且声称拥有永久 keychain token，安装前需警惕。

评估建议

This skill appears to be a straightforward CLI auth helper, but take these precautions before installing: 1) Verify the zsxq-cli binary comes from a trusted source (the skill gives no homepage/source). 2) Confirm the registry metadata is corrected (SKILL.md requires zsxq-cli but the registry entry omitted it). 3) Be aware the skill claims tokens are permanently stored in your system Keychain — prefer short‑lived tokens or ensure you can revoke them. 4) Do not allow the agent to perform writes (p...

详细分析 ▾

ℹ 用途与能力

The SKILL.md describes CLI-based auth/login/status/diagnostics for zsxq-cli and the commands are consistent with that purpose. However, the registry metadata earlier listed no required binaries while SKILL.md includes a metadata.requires bins: ["zsxq-cli"] — that's an internal inconsistency. Also the skill's source/homepage are unknown, which reduces provenance.

✓ 指令范围

Instructions are limited to running zsxq-cli commands (auth login/status, doctor, config show, api call/raw). The agent is told to run auth login, present the returned verification link to the user, and wait — no instructions to read arbitrary system files or exfiltrate data. It does suggest using raw API calls (which is reasonable for a CLI helper).

✓ 安装机制

This is instruction-only with no install spec (lowest disk/write risk). That said, it requires the zsxq-cli binary to be present; SKILL.md does not provide where to obtain it and the skill has no homepage/source, so the provenance and trustworthiness of the expected binary are unknown.

ℹ 凭证需求

The skill declares no environment variables or external credentials. It does state tokens are stored in the system Keychain and '永久有效' (permanently valid). Long‑lived tokens increase risk if compromised; the skill does not instruct how to rotate or revoke tokens. No unexplained credential requests are present, but the permanence claim is a security/privacy concern.

✓ 持久化与权限

always is false and there is no install that would grant persistent system presence. The skill does not request modifying other skills or system-wide settings. Autonomous invocation is allowed by default (disable-model-invocation is false), which is normal — combine this with the other notes when deciding.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv0.1.02026/4/19

zsxq-shared 初始版本发布，包含认证与诊断功能： - 新增基于 CLI 的 OAuth 2.0 device flow 登录/登出，token 安全存储。 - 支持认证与配置状态检查。 - 提供常见场景的排障提示与命令示例。 - 可直接调用 zsxq-cli 的 API 工具，满足高级需求。 - 强调 token 安全规范，写/删操作前需用户确认。

● 无害

安装命令

点击复制

官方npx clawhub@latest install zsxq-shared

镜像加速npx clawhub@latest install zsxq-shared --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库