📦 Zsxq
v0.1.0用户知识星球用户信息:查看当前登录用户的个人资料、跨星球最近发帖足迹。用于查看用户ID、昵称、头像、认证状态及最近在各星球的发帖记录。
0· 18·0 当前·0 累计
by 下载技能包
最后更新
2026/4/19
安全扫描
OpenClaw
可疑
medium confidence该技能声明的用途(查看当前用户资料及跨组足迹)与其指令相符,但存在元数据不一致,以及未声明的对共享认证文档的依赖,安装前需审查。
评估建议
Before installing or enabling this skill: (1) Inspect the referenced ../zsxq-shared/SKILL.md to see exactly how authentication works and where credentials/tokens are stored or read from; confirm it does not instruct the agent to read unrelated files or environment variables. (2) Verify the zsxq-cli binary is trustworthy (where it comes from) and that the registry metadata correctly lists it as a requirement. (3) Confirm there are no hidden endpoints or instructions in zsxq-shared that would tran...详细分析 ▾
ℹ 用途与能力
The skill's name/description (view current user info and cross-group footprints) aligns with the instructions to call zsxq-cli user +info and +footprints. However, SKILL.md declares a required binary (zsxq-cli) in metadata while the registry metadata above lists no required binaries — this mismatch should be resolved.
ℹ 指令范围
Runtime instructions are narrow and CLI-focused (run zsxq-cli user +info / +footprints). They explicitly require the agent to READ ../zsxq-shared/SKILL.md first for authentication/error rules. Reading that shared SKILL.md is reasonable for auth guidance, but it introduces dependence on another skill's contents (and potentially on where credentials are stored). The instructions do not ask the agent to read arbitrary system files or exfiltrate data.
✓ 安装机制
This is an instruction-only skill with no install spec and no code files — it does not write code to disk or download artifacts, which is low risk. The only runtime requirement is the external CLI binary (zsxq-cli) referenced in SKILL.md.
⚠ 凭证需求
No environment variables, credentials, or config paths are declared in the registry metadata, yet the skill depends on authentication (handled via the referenced zsxq-shared/SKILL.md) and on the zsxq-cli binary. The skill does not declare where or how credentials are provided; that gap is concerning because the shared doc may reference environment variables or stored tokens not disclosed here.
✓ 持久化与权限
always is false and the skill is user-invocable. It does not request persistent system presence or attempt to modify other skills. The only elevated action is reading the shared SKILL.md for auth rules, which is within scope but should be reviewed.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.02026/4/19
zsxq-user 1.1.0 - 新增查看登录用户资料(用户 ID、昵称、认证状态)及跨星球发帖记录功能。 - 新增快捷指令:+info(查看资料)、+footprints(查看所有星球发帖)。 - API 支持按昵称在星球内搜索成员。 - 工具依赖 zsxq-cli,内置 CLI 帮助。 - 使用前须阅读共享的认证与错误处理规则。
● 无害
安装命令
点击复制官方npx clawhub@latest install zsxq-user
镜像加速npx clawhub@latest install zsxq-user --registry https://cn.longxiaskill.com