← Back to Skills Marketplace
122
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install zhang-xuefeng-ai
Description
提供张雪峰风格的高考志愿、专业选择、院校分析及职业规划咨询,回答直白实在、有态度有观点。
Usage Guidance
This skill is coherent with its stated purpose (local KB + style prompt) but has a few red flags you should consider before installing: 1) SKILL.md/README direct you to download an encrypted knowledge package from vdoob.com — verify the source and authenticity before downloading or running anything. 2) The skill will decrypt and extract that archive into ~/.zhang-xuefeng/knowledge_base (note README and code disagree about an exact path); extraction uses zipfile.extractall without path sanitization, so a malicious or tampered archive could overwrite files or write outside the intended directory. 3) The code includes pycryptodome (used) and 'requests' (unused) in dependencies — unnecessary packages increase surface area. 4) If you proceed, inspect the downloaded package (and its file list) in a safe environment or sandbox before activating; prefer running the skill in an isolated VM/container and avoid using passwords that are reused elsewhere. 5) If possible, ask the publisher for an official, signed release or checksum for the KB and clarification on the expected download path and activation flow.
Capability Analysis
Type: OpenClaw Skill
Name: zhang-xuefeng-ai
Version: 1.0.1
The skill implements a gated content model that directs users to an external website (vdoob.com) to download an encrypted 'knowledge base' and purchase activation codes. The extraction logic in `src/kb_manager.py` uses `zipfile.extractall()` without path sanitization, which is a known ZipSlip vulnerability that could allow a malicious ZIP file to overwrite arbitrary files on the user's system. While the code lacks explicit malicious payloads, the combination of a third-party binary requirement and vulnerable extraction logic poses a significant security risk.
Capability Assessment
Purpose & Capability
The skill's name/description match the included code: it loads a local encrypted knowledge base and uses that to answer high‑school/career questions in a particular style. However _meta.json/requirements list 'requests' even though the Python code does not use network calls; README/SKILL.md instruct users to download the KB from vdoob.com while kb_manager expects the KB under ~/.zhang-xuefeng/knowledge_base (README suggests ~/.zhang-xuefeng/kb/) — this path/name mismatch is a minor incoherence.
Instruction Scope
SKILL.md instructs users to fetch an encrypted knowledge package from an external site (vdoob.com) and the skill will '自动解密' (auto decrypt and load). The code implements decryption and extracts a zip archive into the user's home directory. There is no sanitization of archive paths (zip.extractall is used directly), which can allow path traversal or overwrite of files if the archive is malicious or tampered with. The instructions also push the user to obtain an activation code from the third party — this external dependency and the automatic unpacking broaden the attack surface.
Install Mechanism
There is no automated install spec (lowest install risk). Dependencies are declared (pycryptodome and requests). pycryptodome is used for AES decryption and is reasonable; requests is declared but unused in the code, which is an unnecessary dependency but not itself malicious.
Credentials
The skill does not request environment variables, secrets, or external credentials. The primary behavior is local file I/O in the user's home directory to load the KB — capability requests appear proportionate to the stated purpose.
Persistence & Privilege
The skill writes extracted files and a temporary zip under the user's home (~/.zhang-xuefeng/knowledge_base) and creates an index. It does not request 'always: true' or other elevated platform privileges, but the archive extraction will persist files on disk and could overwrite user files depending on archive contents.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install zhang-xuefeng-ai - After installation, invoke the skill by name or use
/zhang-xuefeng-ai - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
修复作者名称为vdoob Team
v1.0.0
张雪峰AI - 高考志愿咨询 Skill v1.0.0
- 首次发布,提供张雪峰风格的高考志愿、专业选择、院校分析与职业规划答疑。
- 支持从加密知识库检索资料,结合大模型生成直白有态度的回答。
- 关键词智能触发,覆盖志愿填报、选专业、就业方向等主要话题。
- 简易安装及知识库下载指导,便于快速上手使用。
- 明确问答范围,包括高考咨询、专业分析、院校与地域建议等。
Metadata
Frequently Asked Questions
What is 张雪峰AI助手?
提供张雪峰风格的高考志愿、专业选择、院校分析及职业规划咨询,回答直白实在、有态度有观点。 It is an AI Agent Skill for Claude Code / OpenClaw, with 122 downloads so far.
How do I install 张雪峰AI助手?
Run "/install zhang-xuefeng-ai" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is 张雪峰AI助手 free?
Yes, 张雪峰AI助手 is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does 张雪峰AI助手 support?
张雪峰AI助手 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created 张雪峰AI助手?
It is built and maintained by silbosu (@silbosu); the current version is v1.0.1.
More Skills