← Back to Skills Marketplace
208
Downloads
0
Stars
1
Active Installs
4
Versions
Install in OpenClaw
/install xiaoqian
Description
自动登录江苏海事局综合平台查询指定日期范围内的全局会议信息并导出包含时间、地点和参会人员的结构化数据。
Usage Guidance
This skill mostly does what it says (automates login and scraping of the Jiangsu MSA portal), but exercise caution before installing: 1) The SKILL.md and code include plaintext default credentials — do NOT use these defaults; treat them as potential leaked/stale credentials and rotate any affected account. 2) The code expects MSA_USERNAME/MSA_PASSWORD but the skill metadata does not declare required env vars — if you install, set those env vars yourself rather than relying on defaults. 3) The script downloads ChromeDriver at runtime and attempts to hide automation (navigator.webdriver override), which increases network and detection-evasion behavior; run it in a controlled sandbox or VM and review network activity. 4) Verify the skill's provenance (who published it) before giving it access to credentials or your network. If you cannot confirm origin or do not want the script to handle credentials, do not install/run it; alternatively, extract and review the script first, remove hard-coded defaults, and supply credentials via secure environment variables or a secrets manager.
Capability Analysis
Type: OpenClaw Skill
Name: xiaoqian
Version: 1.0.3
The skill bundle contains hardcoded plaintext credentials (username: 'lp@njmsa', password: '@lp280033') for the Jiangsu Maritime Safety Administration portal within both SKILL.md and query_meetings.py. While the script appears to perform its stated function of automating meeting data collection via Selenium, the exposure of static credentials and the lack of input sanitization for date fields represent significant security vulnerabilities. There is no clear evidence of intentional data exfiltration to external attacker-controlled domains, but the inclusion of credentials for a specific government portal is highly irregular.
Capability Assessment
Purpose & Capability
Name/description and the provided Python automation code align: the code automates login to the listed portal and scrapes meeting data. However, provenance is unclear (source/homepage unknown) and the package embeds a specific account (lp@njmsa / @lp280033) in SKILL.md and as defaults in code, which is unexpected for a general-purpose skill and raises questions about origin and intended operator.
Instruction Scope
SKILL.md and the script remain within the stated task (navigate site, query meetings, export Excel). But the instructions/code include plaintext credentials, will download Chrome WebDriver at runtime, write logs and output files, and the script deliberately attempts to evade automation detection (overriding navigator.webdriver). Those behaviors broaden the runtime footprint beyond a simple read-only query.
Install Mechanism
There is no declared install spec (instruction-only), but the Python code uses webdriver-manager to download ChromeDriver at runtime. webdriver-manager is a common tool and fetches drivers from standard sources, but runtime binary download increases network activity and introduces supply-chain risk compared with a pure instruction-only skill.
Credentials
The skill requests no required env vars in its metadata, yet the code reads MSA_USERNAME and MSA_PASSWORD (with insecure defaults embedded). SKILL.md even prints default credentials. Requiring credentials is reasonable for a login automation tool, but embedding real-seeming credentials and failing to declare them is a coherence/security problem and could leak secrets or encourage misuse.
Persistence & Privilege
The skill is not marked always:true and does not request elevated platform privileges. It writes logs and generates Excel files in the working directory (expected). Autonomous invocation is allowed by default (normal) but does increase blast radius when combined with the credential/evade flags above.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install xiaoqian - After installation, invoke the skill by name or use
/xiaoqian - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.3
- Added _meta.json metadata file to the project.
v1.0.2
- 文件名由 skill.md 改为 SKILL.md,统一技能描述文件格式。
- 其余内容无重大调整。
v1.0.1
- Added skill description file (skill.md) in new standardized format.
- Added main implementation script (query_meetings.py) and requirements.txt.
- Removed legacy SKILL.md and replaced with updated documentation.
- Improved documentation and clarified trigger methods, input/output formats, and dependencies.
v1.0.0
Initial release of xiaoqian skill.
- Provides step-by-step instructions to query and export meeting information from the Jiangsu Maritime Affairs integrated platform.
- Includes login details, navigation guidance, and data export steps.
- Defines CSV/Excel output fields and important operational notes.
Metadata
Frequently Asked Questions
What is Xiaoqian?
自动登录江苏海事局综合平台查询指定日期范围内的全局会议信息并导出包含时间、地点和参会人员的结构化数据。 It is an AI Agent Skill for Claude Code / OpenClaw, with 208 downloads so far.
How do I install Xiaoqian?
Run "/install xiaoqian" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Xiaoqian free?
Yes, Xiaoqian is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Xiaoqian support?
Xiaoqian is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Xiaoqian?
It is built and maintained by tokido-25 (@tokido-25); the current version is v1.0.3.
More Skills