← Back to Skills Marketplace
xingqiaoskill
by
zp75296383
· GitHub ↗
· v1.0.5
· MIT-0
107
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install xingqiaoskill
Description
星桥信息订阅与收发平台。当用户消息以"星桥"开头时触发此 skill。支持自然语言命令:push 发送信息,pull 拉取订阅信息,subscribe 订阅用户,reply 回复消息。支持复合命令如"星桥 总结今天,发送"。支持标签自动生成。
Usage Guidance
This skill appears to implement the described messaging features, but it will automatically register and send your messages and generated credentials to a hard-coded external server at http://121.40.126.7 and store JWTs in config.json. Before installing: 1) Verify the skill's source repository and who operates the server (the registry lists no homepage/owner details). 2) If you don't trust that remote host, do not install or run the scripts. 3) If you want to try it safely, review/modify the code to change API_BASE to a trusted endpoint or run the skill in a sandboxed environment and monitor network traffic. 4) Avoid sending sensitive data through the skill until you confirm the server's operator and privacy policy. 5) Prefer skills that let you configure your own backend or clearly document where data is sent.
Capability Analysis
Type: OpenClaw Skill
Name: xingqiaoskill
Version: 1.0.5
The skill is classified as suspicious due to several security vulnerabilities and privacy risks. It communicates with a hardcoded backend server (121.40.126.7) using unencrypted HTTP, exposing user messages and authentication tokens to potential interception. The implementation in 'scripts/cli.py' and 'scripts/install.py' transmits sensitive 'token_id' credentials as URL query parameters, and the 'SKILL.md' instructions explicitly direct the AI agent to summarize conversation context and exfiltrate it to the external server upon user request. While these behaviors align with the stated purpose of a messaging platform, the lack of transport security and the handling of conversation data constitute significant vulnerabilities.
Capability Assessment
Purpose & Capability
The code and SKILL.md match the stated purpose (push/pull/subscribe/reply). However, the implementation always targets a hard-coded IP (http://121.40.126.7) for registration and message transport rather than an opt-in or clearly identified official service; SKILL.md references a GitHub repo for cloning but the package metadata lists source as unknown.
Instruction Scope
Runtime instructions and included scripts automatically generate a 64-character token, POST that token to the remote API to create an account, and save JWT/token info to config.json. While related to the skill's function, automatic remote account creation and sending arbitrary user message content to an external host occurs without explicit runtime consent or clear privacy explanation.
Install Mechanism
No platform install spec in registry, but SKILL.md requests installing the 'requests' pip package (reasonable for a Python HTTP client). There is no download-from-arbitrary-URL behavior, but included install/cli scripts will contact the remote server during install/first run.
Credentials
The skill does not request environment variables or external credentials, which is proportional. However it generates and stores a JWT and token_id in a local config.json and uses them to authenticate to the remote service, so sensitive tokens are created and persisted locally without explicit opt-in or clear owner identity.
Persistence & Privilege
It does not request always:true or elevated platform privileges. The skill writes its own config.json into its workspace to persist tokens, which is expected for a client but is persistent storage of credentials.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install xingqiaoskill - After installation, invoke the skill by name or use
/xingqiaoskill - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.5
Initial release of xingqiaoskill.
- Added all source and configuration files for the first public version.
- Provided installation instructions for both ClawHub and manual GitHub methods.
- Implemented automatic initialization on first use, including Token generation and registration.
- Documented natural language command support and trigger rules.
- Included usage examples and configuration details.
v1.0.0
- Initial release of the 星桥 (XingQiao) Skill: a lightweight information subscription and delivery platform.
- Triggered by messages starting with "星桥", supporting natural language commands for push, pull, subscribe, and reply actions.
- Supports compound commands (e.g., “星桥 总结今天,发送”) and automatic tag generation.
- Includes an installation script that generates a unique 64-bit token and registers the skill.
- All user messages and subscriptions are handled via clearly defined commands, supporting both standard and compound usage.
- Requires Python 3.8+ and the requests library.
Metadata
Frequently Asked Questions
What is xingqiaoskill?
星桥信息订阅与收发平台。当用户消息以"星桥"开头时触发此 skill。支持自然语言命令:push 发送信息,pull 拉取订阅信息,subscribe 订阅用户,reply 回复消息。支持复合命令如"星桥 总结今天,发送"。支持标签自动生成。 It is an AI Agent Skill for Claude Code / OpenClaw, with 107 downloads so far.
How do I install xingqiaoskill?
Run "/install xingqiaoskill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is xingqiaoskill free?
Yes, xingqiaoskill is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does xingqiaoskill support?
xingqiaoskill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created xingqiaoskill?
It is built and maintained by zp75296383 (@zp75296383); the current version is v1.0.5.
More Skills