← Back to Skills Marketplace

米游社工具

Name: 米游社工具
Author: carcloud-ml

by carcloud-ml · GitHub ↗ · v0.1.1 · MIT-0

cross-platform ⚠ suspicious

214

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install mystool

Description

米游社工具插件。当用户消息包含以下任意关键词时触发：米游社登录、米游社绑定、米游社账号、米游社解绑、米游社任务、米游币任务、米游社签到、原神便笺、星铁便笺、开拓力、树脂、米游币商品、米游社兑换、米游社帮助、扫码补全stoken。支持短信登录、扫码登录、Cookie 登录三种方式。

Usage Guidance

This skill appears to do what it claims (MiYoShe login, tasks, sign-ins, and exchange) and includes working code that will run locally and contact official MiYoShe/Mihoyo endpoints. Key things to consider before installing or using it: - Sensitive data: You will be asked to paste cookies, stoken info or phone numbers. Those are saved unencrypted under skills/mystool/data/accounts.json and related files — treat these as high-risk secrets. - Trust the author: The skill has no homepage and an unknown source; review the code (especially src/api.py, runner.py, sms_login.py, and store.py) yourself before providing real credentials. - External proxy URL: If you configure a proxy (proxy_config.api_url), the skill will fetch data from that URL to get proxy IPs — that URL could be malicious or point to internal endpoints. Only set it to trusted services. - Automated actions: runner.py will run daily cron tasks and can iterate all stored accounts. If installed on a shared agent, it will act for every stored user account — consider isolation. - Deployment suggestions: run in an isolated/trusted environment, audit the full source (untruncated files), and test with a throwaway account first. If you must use real accounts, consider encrypting the data directory or avoiding storing long-lived cookies in this skill. If you want, I can highlight exact lines/places to inspect (e.g., where cookies are written, where external network calls occur) or scan the remaining truncated files for suspicious behavior.

Capability Analysis

Type: OpenClaw Skill Name: mystool Version: 0.1.1 The skill bundle is a comprehensive Miyoushe automation tool that handles sensitive user credentials, including cookies and login tokens. It contains a functional SSRF (Server-Side Request Forgery) vulnerability in 'src/sms_login.py' via the '_get_proxy' function, which performs unvalidated HTTP GET requests to a user-provided URL. Additionally, the tool implements a cross-platform account sharing mechanism in 'src/store.py' ('merge_user_accounts') that allows transferring sensitive session data between users via 6-digit codes. While these features are documented as intended for power users, the combination of credential handling, local storage of cookies in 'data/accounts.json', and the SSRF risk warrants a suspicious classification.

Capability Assessment

✓ Purpose & Capability

Name/description (米游社工具) match the code: modules implement SMS/QR/Cookie login, daily tasks, sign-in, goods exchange, proxy support, and local account storage. No unrelated cloud credentials or unrelated binaries are requested.

ℹ Instruction Scope

SKILL.md instructs the agent to run plugin.py/runner.py (and lists pip deps). That runtime will execute the included Python code which performs network calls to mihoyo/miyoushe endpoints, reads/writes local data files under data/ and log/, and may call a user-configured proxy; this is within the plugin's stated purpose but means the agent executes code (not just text-processing).

✓ Install Mechanism

No automated install spec (instruction-only), which is lower risk. SKILL.md lists pip dependencies (httpx, pycryptodome, qrcode) that the operator must install; that is reasonable and expected for this functionality.

⚠ Credentials

The skill does not request environment variables but it handles highly sensitive secrets: cookies, stoken, phone numbers and stores them unencrypted in data/accounts.json and related files. It also can fetch an external proxy IP from a user-supplied API_URL (data/proxy_config.json). Storing and reading these secrets is proportional to the feature but is a significant security/privacy concern — you must trust the skill before providing real credentials.

ℹ Persistence & Privilege

always:false and the skill does not claim to modify other skills. It persists state (data/ and log/) and includes runner.py for scheduled cron tasks that will act on all stored accounts — this is expected for automation but increases blast radius if the code is malicious or run on an untrusted host.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install mystool
After installation, invoke the skill by name or use /mystool
Provide required inputs per the skill's parameter spec and get structured output

Version History

v0.1.1

修正 bug

v0.1.0

mystool 0.1.0 — 首个版本 - 新增米游社工具插件，支持账号登录、绑定、任务、签到、商城兑换等多项功能。 - 支持短信、扫码、Cookie 三种登录方式及扫码补全 stoken。 - 自动每日执行米游币和签到任务，通过 cron 推送结果。 - 提供详细指令列表，适配 Telegram、QQBot、多渠道。 - 独立日志记录和代理设置支持。

Metadata

Slug mystool

Version 0.1.1

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 2

Frequently Asked Questions

What is 米游社工具?

米游社工具插件。当用户消息包含以下任意关键词时触发：米游社登录、米游社绑定、米游社账号、米游社解绑、米游社任务、米游币任务、米游社签到、原神便笺、星铁便笺、开拓力、树脂、米游币商品、米游社兑换、米游社帮助、扫码补全stoken。支持短信登录、扫码登录、Cookie 登录三种方式。 It is an AI Agent Skill for Claude Code / OpenClaw, with 214 downloads so far.

How do I install 米游社工具?

Run "/install mystool" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is 米游社工具 free?

Yes, 米游社工具 is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does 米游社工具 support?

米游社工具 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created 米游社工具?

It is built and maintained by carcloud-ml (@carcloud-ml); the current version is v0.1.1.

More Skills