← Back to Skills Marketplace

ZFONT-CLI

Name: ZFONT-CLI
Author: lanmin-x

by LANMIN-X · GitHub ↗ · v1.5.3 · MIT-0

cross-platform ⚠ suspicious

347

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install zfont-cli

Description

从 zfont.cn 智能搜索、推荐并下载免费商用字体，支持递归解压字体包提取 TTF、OTF、TTC 格式文件并提供安装或传输方案。

Usage Guidance

This skill appears coherent for downloading fonts from zfont.cn and doesn't request unrelated secrets. Before installing: 1) Confirm you trust zfont.cn/files.zfont.cn (the skill will download and extract archives from that host). Malicious or malformed font files can still be harmful if opened or installed. 2) Consider disabling autonomous invocation or requiring explicit confirmation for downloads if you want to avoid silent fetches. 3) Run the skill in a sandboxed environment (or review downloaded archives) before installing fonts system-wide. 4) Because the skill's source/homepage is unknown, prefer caution: validate the remote endpoints and test with non-sensitive, disposable environments first.

Capability Analysis

Type: OpenClaw Skill Name: zfont-agent-cli Version: 1.5.3 The skill facilitates font searching and downloading from zfont.cn but contains shell injection vulnerabilities in the `download_font_archive` and `process_font_asset` actions within `skill.md`. It uses `bash -c` to execute `wget` and `unzip` commands using variables (`download_url`, `font_name`) fetched directly from a remote API without adequate shell sanitization. While the code includes a domain whitelist check for `https://files.zfont.cn/*`, the implementation remains vulnerable to RCE if the remote API returns crafted payloads.

Capability Assessment

✓ Purpose & Capability

Name/description, declared required binaries (wget, unzip, cp, bash), and the HTTP endpoints (zfont.cn / files.zfont.cn) all align with a font-search-and-download tool. No unrelated credentials, binaries, or config paths are requested.

ℹ Instruction Scope

Instructions stay within the stated task: search via zfont.cn APIs, fetch a download URL, download to /tmp, optionally unzip and deliver files. They do not request unrelated system files or secrets. Note: get_font_download_url specifies a silent (non-interactive) immediate download when a font ID is obtained, which may cause the agent to fetch archives without an extra explicit user confirmation in some flows.

✓ Install Mechanism

This is an instruction-only skill with no install spec or code to write to disk, which is the lowest-risk install model. All runtime commands are standard system utilities (wget/unzip).

✓ Credentials

The skill requires no environment variables, no credentials, and no config paths. Network access to zfont.cn/files.zfont.cn is expected and proportional to the purpose.

ℹ Persistence & Privilege

always is false and the skill does not request system-wide changes. However, disable-model-invocation is false (normal), and the skill's logic includes silent download and automated file sending steps—this gives the skill the ability to autonomously fetch and stage binaries (archives) in /tmp and hand them off via the platform's file-send API, increasing blast radius if the remote content is malicious or if agent autonomy is undesired.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install zfont-cli
After installation, invoke the skill by name or use /zfont-cli
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.5.3

zfont-agent-cli 1.5.3 - 优化用户收到字体后的指引：发送文件后，指引内容从代码块样式改为分条说明，更清晰易读 - 发送压缩包或字体文件时，分别用更符合用户习惯的文本格式化说明解压和安装方式 - 其余功能及接口保持不变

v1.5.2

- 修复注册元数据报错，新增必需依赖声明（wget、unzip、cp、bash）。 - 微调描述，明确字体来源于ZFONT.CN且为免费商用字体。 - 其他功能保持不变。

v1.5.1

zfont-cli v1.5.1 - 简化了描述与功能说明，去除此版本中的自动安装与系统嗅探能力。 - 下载完成后的选项仅保留“发送压缩包”或“发送字体文件”，不再提供“一键安装到系统”。 - 优化动作逻辑，仅保留文件提取与下发，去除对操作系统的自动判断和安装脚本。 - 精简依赖说明，移除“cp(安装字体)”相关内容。 - 保留压缩包与字体文件的发送及简要使用指南输出。

v1.5.0

ZFONT-CLI 1.5.0 重大更新：精简交互，全自动化字体下载与部署体验。 - 简化操作流程：支持智能分支，命中精确字体名时可直接进入下载，无需人工筛选。 - 搜索结果以 Markdown 表格输出，避免展示字体 ID，界面更友好。 - 下载完成后用户可直接选择自动安装、获取字体文件或原始压缩包。 - 自动识别操作系统并执行对应字体安装流程，最大限度减少手动操作。 - 所有关键交互均禁用表情符号与多余叙述，保证简洁清晰。 - 动作间深度联动，“一次问答”即可完成下载安装全流程。

v1.4.0

Version 1.4.0 introduces enhanced transparency and user choice. - 所有下载、解压与安装步骤均详细解释，如 wget（下载）、unzip（解压）、cp（安装），用户可提前知悉。 - 新增“是否解压”流程，允许用户选择直接获取原始压缩包或解压后再处理。 - 操作流程提示更加清晰，执行前会告知用户每一步的系统命令及含义。 - 安装引导明确说明 cp 即为系统级字体安装。 - 支持直接回传 zip 包，实现按需提取。

v1.3.0

ZFONT-CLI 1.3.0 brings advanced font search, extraction, and deployment from zfont.cn with intelligent recommendations and cross-platform asset handling. - Added smart font search and professional recommendation from zfont.cn, including detailed info and VF (Variable Font) prioritization. - Supports secure extraction and recursive decompression of downloaded font packages, automatically pulling out core TTF, OTF, and TTC assets. - Introduced a split workflow: users can choose between step-by-step local installation guidance (macOS, Linux, Windows) or direct asset packaging and download. - Enhanced system triggers for discovering and obtaining free commercial fonts with simple commands. - Improved user interaction with explicit prompts for next actions after extraction (install or receive the cleaned assets).

Metadata

Slug zfont-cli

Version 1.5.3

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 6

Frequently Asked Questions

What is ZFONT-CLI?

从 zfont.cn 智能搜索、推荐并下载免费商用字体，支持递归解压字体包提取 TTF、OTF、TTC 格式文件并提供安装或传输方案。 It is an AI Agent Skill for Claude Code / OpenClaw, with 347 downloads so far.

How do I install ZFONT-CLI?

Run "/install zfont-cli" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is ZFONT-CLI free?

Yes, ZFONT-CLI is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does ZFONT-CLI support?

ZFONT-CLI is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created ZFONT-CLI?

It is built and maintained by LANMIN-X (@lanmin-x); the current version is v1.5.3.

More Skills