← Back to Skills Marketplace
69
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install zuma-desktop-agent
Description
ZumaRobot Windows 桌面自动化机器人 SKILL 端代理工具,自动化发布小红书笔记、抖音、X/推特等,支持 AI 动态生成配图,一句话完成所有操作,提高效率。将用户意图映射为 `node zuma.js` 命令参数, 不做任何推理或扩展。 触发词:zuma 采集、X 采集、推文采集、小红书发笔记、...
Usage Guidance
This skill contains executable code that does more than 'map a command' — it reads .env and process.env variables, queries the Windows registry, writes/copies files into the skill folder, may download remote release archives, and uploads images to an external image host (imgbb) using a hard-coded API key. Before installing: 1) only install if you fully trust the skill's source; 2) review the full zuma.js and upload.js code yourself (or have someone you trust do it); 3) remove or replace the hard-coded API key and explicitly set any required environment variables rather than relying on defaults; 4) run the skill in a restricted sandbox or VM and monitor network activity (especially outbound uploads and any downloads); 5) if you need only screenshot-to-local functionality, consider modifying the code to disable external uploads; 6) if anything is unclear, treat this skill as potentially data-leaking and avoid granting it access to sensitive accounts or files.
Capability Analysis
Type: OpenClaw Skill
Name: zuma-desktop-agent
Version: 1.0.0
The skill bundle exhibits high-risk capabilities including remote payload downloading, registry modification, and screen capture. Specifically, 'zuma.js' contains logic to download ZIP files from Gitee/GitHub via PowerShell, extract them to 'C:\ZUMAAI', and modify the Windows Registry ('HKCU\SOFTWARE\ZumaRobot') to store installation paths. While these actions align with the stated purpose of a desktop automation agent, the use of 'execSync' to run PowerShell scripts for screenshots and the presence of a hardcoded ImgBB API key ('669ae31e56af5f66402d9ff239f1980d') represent significant security risks and potential for abuse if the agent is subverted.
Capability Tags
Capability Assessment
Purpose & Capability
The skill claims only to map user intent to a 'node zuma.js' invocation, but the included code does much more: it reads a .env and process.env variables (ZUMA_SERVER_URL, API_KEY, TOKEN, IMGBB_API_KEY, DOWNLOAD_LINKS, etc.), performs HTTP requests to local and remote endpoints, synchronizes guide.md into the skill directory, and references remote download URLs for a Zuma desktop executable. Many of these capabilities (network downloads/uploads, registry access) are beyond a simple command-mapper and are not justified in the description.
Instruction Scope
SKILL.md's runtime instructions insist the agent only run node zuma.js commands and forbid using system shell commands, but the implementation performs actions that go beyond 'just run and return output': it may trigger npm installs, call local and remote HTTP endpoints, copy files into the skill directory, and the script uses child_process.execSync (registry queries). The skill documentation does not declare or explain these reads/writes, nor the use of external image upload services.
Install Mechanism
There is no install spec (instruction-only), but the code expects to run 'npm install' or 'pnpm install' when dependencies are missing. package.json pulls in node-fetch and form-data (reasonable), however the code also contains arrays of remote download URLs (GitHub/Gitee .zip releases) for a Windows executable — downloading/extracting those at runtime would be high risk. The repository also contains an embedded default IMGBB API key. No explicit, vetted release hosts or checksums are provided.
Credentials
The skill declares no required environment variables, yet zuma.js reads many env vars and a .env file (ZUMA_SERVER_URL, API_KEY, TOKEN, IMGBB_API_KEY, DOWNLOAD_LINKS, etc.). A non-trivial secret (IMGBB_API_KEY) is hard-coded in defaults. The mismatch between declared requirements (none) and actual env/credential usage is a clear proportionality problem and increases exfiltration risk (screenshots/images may be uploaded).
Persistence & Privilege
The skill does not set always:true and is user-invocable. The code writes files (syncGuide copies guide.md into the skill root), may create workspace directories under the user's home, and reads the Windows registry to find an installed exe path. Those behaviors are plausible for a desktop agent but should be considered persistent and able to modify files under user home. No evidence it modifies other skills or system-wide agent settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install zuma-desktop-agent - After installation, invoke the skill by name or use
/zuma-desktop-agent - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
zuma-desktop-agent 1.0.0
- 初始发布,提供 ZumaRobot Windows 桌面自动化机器人命令代理。
- 支持自动化采集推文、小红书发笔记、查看日志、屏幕截图等核心操作。
- 严格命令映射,仅执行 node zuma.js 相关命令,禁止任何系统命令。
- 内置环境自检与业务操作自动流程,错误处理透明,不做任何推理或扩展。
- 交互式菜单指引用户选择具体业务,所有参数需显式输入并校验。
Metadata
Frequently Asked Questions
What is Zuma Desktop Agent?
ZumaRobot Windows 桌面自动化机器人 SKILL 端代理工具,自动化发布小红书笔记、抖音、X/推特等,支持 AI 动态生成配图,一句话完成所有操作,提高效率。将用户意图映射为 `node zuma.js` 命令参数, 不做任何推理或扩展。 触发词:zuma 采集、X 采集、推文采集、小红书发笔记、... It is an AI Agent Skill for Claude Code / OpenClaw, with 69 downloads so far.
How do I install Zuma Desktop Agent?
Run "/install zuma-desktop-agent" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Zuma Desktop Agent free?
Yes, Zuma Desktop Agent is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Zuma Desktop Agent support?
Zuma Desktop Agent is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Zuma Desktop Agent?
It is built and maintained by biglobin (@biglobin); the current version is v1.0.0.
More Skills