← Back to Skills Marketplace
khoabd

Zrise Connect Release

by Khoa · GitHub ↗ · v3.3.1 · MIT-0
cross-platform ⚠ suspicious
132
Downloads
1
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install zrise-connect-release
Description
Connect and operate Zrise tasks via XML-RPC API using Lobster workflows for approval-based task execution and result writeback.
Usage Guidance
This skill bundle is internally inconsistent: SKILL.md insists on an approval-based Lobster workflow, but other docs and code promote bypassing Lobster and spawning agents directly (including subprocess calls to 'openclaw agent') and expect Zrise, Telegram, and AI provider credentials. Before installing: 1) Inspect invoke_agent_for_task.py, workflow_manager_ui.py, and any code that spawns subprocesses or calls 'openclaw agent' to confirm whether it will bypass approvals or auto-writeback to Zrise. 2) Treat ZRISE_API_KEY, Telegram bot tokens, and model API keys as sensitive — do not provide them until you verify the code path that uses them. 3) Run in an isolated/test environment (not production) and with least-privilege credentials. 4) If you need strict approval gates, reject or remove the agent-to-agent direct-spawn code and enforce the Lobster workflows referenced in SKILL.md. 5) Consider asking the publisher for a clear statement which workflow mode is authoritative (Lobster-only vs agent-to-agent) and for a minimal manifest that lists the required env vars.
Capability Analysis
Type: OpenClaw Skill Name: zrise-connect-release Version: 3.3.1 The skill bundle provides a comprehensive integration for the Zrise ERP system, including a web-based workflow manager and automated task processing. While the intent appears benign and aligned with its stated purpose, it contains several high-risk security vulnerabilities and behaviors. Specifically, `zrise_utils.py` explicitly disables SSL certificate verification (`ssl.CERT_NONE`), and `workflow_manager_ui.py` implements a web server that allows remote command execution with an authentication check that can be bypassed if a specific environment variable is not set. Additionally, the scripts perform environment modifications such as recursively removing macOS extended attributes (`xattr -cr`) and modifying the user's `~/bin` directory, which are aggressive for a standard skill bundle.
Capability Assessment
Purpose & Capability
SKILL.md and the skill description state the integration must operate via Lobster workflows (approval-based writeback). However multiple docs and scripts (docs/AGENT_TO_AGENT.md, docs/SIMPLE_WORKFLOW_GUIDE.md, workflow_manager_ui.py snippets) explicitly recommend or implement bypassing Lobster and spawning agents directly (subprocess calling 'openclaw agent ...'), which would give agents broad ability to fetch, execute, spawn subagents, and write back results. That behavior contradicts the stated purpose of strict Lobster-mediated, approval-gated execution.
Instruction Scope
SKILL.md itself is narrow and prescriptive (use lobster run ... and wait for approvals). But other runtime instructions and code examples in the repo instruct the system to: (a) modify the UI to POST /api/sessions/{task_id}/trigger and spawn agents directly, (b) let agents 'decide' to spawn subagents and auto-writeback to Zrise, and (c) send approval requests via chat channels. These broader instructions allow automated actions and data writeback that go beyond the conservative approval flow claimed in SKILL.md.
Install Mechanism
There is no formal install spec, but SKILL.md shows a recommended Lobster install via git clone from GitHub and npm install/tsc (https://github.com/openclaw/lobster.git) and linking a binary into ~/bin. That is a traceable GitHub source (not a random URL) but requires running npm install and compiling TypeScript — a moderate installation step that will produce code on disk. No arbitrary remote binaries or obscure URLs were detected.
Credentials
The registry metadata claims no required env vars/credentials, yet README/docs enumerate and assume multiple sensitive settings (ZRISE_URL, ZRISE_DB, ZRISE_USERNAME, ZRISE_API_KEY, GEMINI_API_KEY, Telegram bot tokens, OpenClaw config entries). This mismatch is important: the skill will not function without Zrise credentials and possibly messaging/model API keys, so asking for no env vars in the manifest is inconsistent and understates required sensitive access.
Persistence & Privilege
always:false (good), but the codebase includes UI/server modifications and subprocess spawns that call 'openclaw agent' and may write state (state/ and config/ files). If deployed with default autonomous invocation, the agent-to-agent patterns in the repo would let spawned agents autonomously perform network operations and writebacks. The combination of autonomous agents and documented code that bypasses approval gates increases potential blast radius and should be treated cautiously.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install zrise-connect-release
  3. After installation, invoke the skill by name or use /zrise-connect-release
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v3.3.1
zrise-connect-release 3.3.1 - Updated documentation in SKILL.md with a mandatory workflow process for task handling via Lobster, emphasizing agent approval steps. - Clearly outlined steps for task processing, review, approval, revision, and automation. - Added instructions and usage examples for relevant debug/manual scripts. - Provided practical notes on Zrise XML-RPC API usage and integration specifics. - Included key setup guidance for the Lobster workflow tool and clarified essential Zrise data concepts.
Metadata
Slug zrise-connect-release
Version 3.3.1
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Zrise Connect Release?

Connect and operate Zrise tasks via XML-RPC API using Lobster workflows for approval-based task execution and result writeback. It is an AI Agent Skill for Claude Code / OpenClaw, with 132 downloads so far.

How do I install Zrise Connect Release?

Run "/install zrise-connect-release" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Zrise Connect Release free?

Yes, Zrise Connect Release is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Zrise Connect Release support?

Zrise Connect Release is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Zrise Connect Release?

It is built and maintained by Khoa (@khoabd); the current version is v3.3.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments