← Back to Skills Marketplace

zadig

Name: zadig
Author: lilianzhu

by lilianzhu · GitHub ↗ · v4.0.2

cross-platform ⚠ suspicious

638

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install zadig

Description

⚠️ 需要 ZADIG_API_URL + ZADIG_API_KEY | Zadig DevOps 平台 API 客户端

Usage Guidance

This skill appears to be a straightforward Zadig API client. Before installing: 1) Confirm ZADIG_API_URL points to your intended Zadig server (not a public or unknown host). 2) Use a least-privilege API token (scoped, short-lived if possible) and avoid committing the token to VCS. 3) Review the included index.js (it makes HTTPS calls to whatever URL you provide and sets Authorization: Bearer <token>) so ensure no unexpected hardcoded endpoints exist. 4) Note the minor version mismatch in metadata (package/README vs registry) and prefer obtaining the skill from a trusted source or official repository if possible. If you need the agent to call other services, check how ZADIG_API_URL will be set and who can modify it.

Capability Analysis

Type: OpenClaw Skill Name: zadig Version: 4.0.2 The skill is classified as suspicious due to a critical shell injection vulnerability found in the `getServiceLogsSync` function within `index.js`. This function uses `child_process.execSync` to execute a `curl` command, where parameters like `pod.name` and `containerName` are directly interpolated into the shell command string without proper sanitization. This allows an attacker who can control these input parameters to execute arbitrary commands on the host system running the OpenClaw agent. While this is a severe Remote Code Execution (RCE) risk, there is no clear evidence of intentional malicious behavior (e.g., data exfiltration to an unauthorized endpoint, persistence mechanisms) by the skill's author; it appears to be an implementation flaw rather than a deliberate attack.

Capability Assessment

ℹ Purpose & Capability

Name/description claim a Zadig API client and the package.json, SKILL.md, and index.js consistently implement a Zadig OpenAPI client. Minor metadata inconsistency: package.json / README list version 4.0.1 while registry metadata shows 4.0.2 — not a security problem but worth noting.

✓ Instruction Scope

SKILL.md instructs the agent to read a .env for ZADIG_API_URL and ZADIG_API_KEY and to call the Zadig server; index.js only reads process.env and makes HTTP(S) requests to the API_BASE derived from ZADIG_API_URL. There are no instructions to read unrelated files or exfiltrate data to other endpoints.

✓ Install Mechanism

No install spec is provided (instruction-only runtime with included Node.js source). No downloads from external URLs or archive extraction. The skill includes a local index.js implementation rather than pulling arbitrary code at runtime.

✓ Credentials

Declared required environment variables are ZADIG_API_URL and ZADIG_API_KEY (plus optional defaults). These are exactly the credentials needed to operate the client; no unrelated secrets or extra credentials are requested.

✓ Persistence & Privilege

Skill is not always-enabled and does not request elevated platform-wide privileges. It declares read:env and network:https which are appropriate for its operation and does not modify other skills or global configuration.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install zadig
After installation, invoke the skill by name or use /zadig
Provide required inputs per the skill's parameter spec and get structured output

Version History

v4.0.2

修复版本号一致性; 添加便捷方法: getServiceStatus, getServiceLogsSync; 修复日志 API 缺少参数问题

v4.0.1

添加便捷方法: getServiceStatus, getServiceLogsSync; 修复日志 API 缺少参数问题; 更新 package.json 元数据

v1.1.1

更新 package.json 元数据

v1.1.0

添加便捷方法: getServiceStatus, getServiceLogsSync; 修复日志 API 缺少参数问题

v4.0.0

Zadig Skill 4.0.0 includes major updates: - Completely rewritten documentation focused on configuration, required environment variables, permissions, and usage. - Emphasizes API authentication requirements with ZADIG_API_URL and ZADIG_API_KEY. - Lists core supported features (project/workflow/environment/service/build/test management). - Adds permission details and security best practices. - Provides clear usage examples for integration.

v3.0.0

Version 3.0.0 introduces a major update to Zadig Skill, providing a comprehensive DevOps platform API client. - Added support for Zadig OpenAPI, enabling project, workflow, environment, service, build, and test management. - Now requires setting ZADIG_API_URL and ZADIG_API_KEY as environment variables for authentication. - Enhanced with sample code and recommended security best practices. - Declares necessary permissions for environment and network access.

vv2.0.0

v2.2.0 — No code or documentation changes detected in this release. - No updates to code or documentation content. - No new features, bug fixes, or modifications noted.

v1.0.0

Initial release of zadig skill: OpenAPI-based DevOps platform client. - Requires ZADIG_API_URL and ZADIG_API_KEY environment variables for configuration. - Supports core features: project, workflow, environment, service, build, and test management via Zadig API. - Provides usage examples in JavaScript. - Details permission needs and security recommendations.

v2.2.0

- 更新至 Zadig v4.2 OpenAPI 规范，提升兼容性和功能完善度 - 详细说明环境变量配置，包括必填与可选项 - 明确权限需求，列出所需的 read:env 和 network:https 权限 - 核心功能涵盖项目、工作流、环境、服务、构建与测试管理 - 提供了新的使用示例与安全建议，加强易用性与安全性

v2.1.0

- 升级为 Zadig v4.2 OpenAPI 规范的 DevOps 平台客户端 - 更新环境变量配置说明，支持多环境（ZADIG_ACTIVE_ENV）和管理员 API - 显式列出所需权限和核心功能分类 - 增加安全建议和详细用法示例

v2.0.9

- Added SKILL.md documentation (initial release of documentation). - Version update to 2.0.9.

v2.0.8

- Updated package.json configuration. - Added a new SKILL.md file for documentation.

v2.0.7

Zadig 2.0.7 - Updated SKILL.md documentation. - No further details provided.

v2.0.6

zadig 2.0.6 - Added initial SKILL.md documentation. - No additional feature or bugfix information provided for this version.

v2.0.5

Version 2.0.5 - Added initial SKILL.md documentation.

v2.0.4

Zadig Skill 2.0.4 - 全面升级支持 Zadig v4.2 OpenAPI 规范，接口覆盖更全。 - 新增详细用法说明，涵盖项目、工作流、环境、构建、测试、发布、集群等核心功能。 - 强化配置指引，明确需要 ZADIG_API_URL 和 ZADIG_API_KEY 环境变量。 - 支持生产/测试环境、服务与镜像管理、版本与权限相关操作。 - 提供丰富示例代码，便于开发者快速集成与调用。

v2.0.3

在描述中明确标注必需的环境变量

v2.0.2

声明环境变量和运行时权限，添加安全说明文档

v2.0.1

支持多环境 (uat/admin), 自动巡检, 修复硬编码敏感信息

v2.0.0

支持多环境 (uat/admin), 自动巡检和自动修复功能

Metadata

Slug zadig

Version 4.0.2

License —

All-time Installs 1

Active Installs 1

Total Versions 20

Frequently Asked Questions

What is zadig?

⚠️ 需要 ZADIG_API_URL + ZADIG_API_KEY | Zadig DevOps 平台 API 客户端. It is an AI Agent Skill for Claude Code / OpenClaw, with 638 downloads so far.

How do I install zadig?

Run "/install zadig" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is zadig free?

Yes, zadig is completely free (open-source). You can download, install and use it at no cost.

Which platforms does zadig support?

zadig is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created zadig?

It is built and maintained by lilianzhu (@lilianzhu); the current version is v4.0.2.

More Skills