← Back to Skills Marketplace
zhiliao
by
jfeng03-dev
· GitHub ↗
· v1.0.0
· MIT-0
121
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install zhiliao
Description
知了 - AI 话题追踪与资讯聚合服务。通过自然语言创建追踪话题,自动从全网聚合相关文章并定时更新。适用场景:(1) 创建信息追踪话题(如追踪黄金价格、科技新闻、行业动态),(2) 获取和浏览话题下的聚合文章,(3) 设置定时任务定期抓取新文章,(4) 查看/管理话题列表,(5) 取消订阅不需要的话题。触发关键词...
Usage Guidance
What to consider before installing:
- The core scripts appear coherent for a news/topic aggregator and legitimately require only ZHILIAO_API_KEY. You should provide your own API key rather than using any key bundled in the repository.
- The package includes .claude/settings.local.json which lists many broad file/command permissions and contains an apparent hard-coded API key string. Treat that file as suspicious: do not run or import its commands as-is. Remove or inspect it before use.
- Inspect the included shell scripts yourself; they only contact api-public.zhiliao.news and store files under ~/.zhiliao. If you accept the skill, configure ZHILIAO_API_KEY via an environment variable or local config and do not accept or paste any keys found in the bundle.
- Rotate the API key if you previously used the hard-coded key anywhere, and never publish your personal API key. If you plan to add cron jobs, ensure they run under the intended account and not as root.
- If you want stronger assurance: run the scripts in a sandboxed environment, review the .claude/settings.local.json (or delete it), and confirm the remote endpoints (api-public.zhiliao.news / h5.zhiliao.news) are legitimate before providing credentials.
If you want, I can extract and show just the lines from .claude/settings.local.json that contain the hard-coded API key and the most concerning permission entries, so you can inspect them directly.
Capability Analysis
Type: OpenClaw Skill
Name: zhiliao
Version: 1.0.0
The skill bundle is classified as suspicious due to the inclusion of a highly permissive `.claude/settings.local.json` file, which appears to be a leaked development configuration. This file grants broad permissions, including 'git push', 'npm install', and access to specific local file paths (e.g., `/Users/jinfeng/Documents/deeplang/**`), and contains a hardcoded API key (`sk_5f7d...`). While the core logic in the shell scripts (e.g., `create-topic.sh`, `fetch-articles.sh`) appears benign and aligned with the stated news aggregation purpose, the presence of these excessive permissions and sensitive artifacts represents a significant security risk and a lack of bundle sanitization.
Capability Assessment
Purpose & Capability
Name/description, declared primaryEnv (ZHILIAO_API_KEY) and the included shell scripts (create-topic, fetch-articles, list-topics, unsubscribe, check-articles) are coherent: they call the zhiliao API, store data under ~/.zhiliao, and output Markdown. No unrelated cloud credentials or unrelated binaries are requested.
Instruction Scope
SKILL.md and the shell scripts stay within the expected scope (reading/writing ~/.zhiliao, calling api-public.zhiliao.news, using curl/jq/iconv). However, the included .claude/settings.local.json contains many allowed commands and read rules that reference arbitrary local paths (e.g. Read(//Users/jinfeng/Documents/deeplang/**), many Bash(...) entries) which go well beyond the skill's stated purpose and could lead an agent to examine unrelated files or run unrelated commands.
Install Mechanism
No install spec is provided (instruction-only). The skill includes shell scripts which will run locally but there is no network download/install step in the manifest. This is lower risk than arbitrary remote installs.
Credentials
The declared credential (ZHILIAO_API_KEY) is appropriate for the API-based functionality. However, the repository includes a .claude/settings.local.json containing an exposed API key string and many permissive commands/paths. Embedding a secret in the package and recommending commands that export it (or point to local user files) is disproportionate and can leak credentials or encourage unsafe execution.
Persistence & Privilege
The skill does not set always:true and allows normal autonomous invocation. But the included .claude/settings.local.json attempts to grant broad runtime permissions (file reads, arbitrary bash commands, WebFetch domains) which, if used by an agent, would increase the skill's effective privileges and access to user files—this is unnecessary for the described aggregator functionality.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install zhiliao - After installation, invoke the skill by name or use
/zhiliao - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
知了 (zhiliao) 1.0.0 — 首个版本发布
- 提供基于自然语言的话题追踪与全网资讯聚合服务。
- 支持两步式话题创建(预览+确认),并可直接关注或新建追踪主题。
- 可获取和本地缓存订阅话题的最新相关文章,支持分页浏览。
- 支持话题列表查看、详细信息展示与一键取消订阅。
- 内置定时任务与批量更新功能,便于实现自动化资讯推送。
- 所有数据及配置本地私有化保存,命令行工具易于集成与扩展。
Metadata
Frequently Asked Questions
What is zhiliao?
知了 - AI 话题追踪与资讯聚合服务。通过自然语言创建追踪话题,自动从全网聚合相关文章并定时更新。适用场景:(1) 创建信息追踪话题(如追踪黄金价格、科技新闻、行业动态),(2) 获取和浏览话题下的聚合文章,(3) 设置定时任务定期抓取新文章,(4) 查看/管理话题列表,(5) 取消订阅不需要的话题。触发关键词... It is an AI Agent Skill for Claude Code / OpenClaw, with 121 downloads so far.
How do I install zhiliao?
Run "/install zhiliao" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is zhiliao free?
Yes, zhiliao is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does zhiliao support?
zhiliao is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created zhiliao?
It is built and maintained by jfeng03-dev (@jfeng03-dev); the current version is v1.0.0.
More Skills