← Back to Skills Marketplace
84
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install quiz-maker
Description
出题工具。根据文档内容(docx、pdf、txt 等)生成选择题测试卷,并返回二维码供答题者扫码作答。触发词:出题、生成题目、创建测验、云端出题。
Usage Guidance
Key points before installing or running anything from this package:
- This skill will (per SKILL.md) send extracted document text to an external server at 118.196.5.240:34100. If your documents contain sensitive data do NOT upload them without confirming the operator, privacy policy, and retention practices.
- The package includes a deploy script that installs system services and runs the server as root. Do NOT run deploy/deploy.sh as root unless you trust the code and the service owner — review server.js, upload-handler.js and quiz-create.js line-by-line first.
- The SKILL.md expects a local node script at ~/.openclaw/quiz-maker/quiz-create.js but the package provides no install instructions; that mismatch is suspicious. Ask the publisher how the client is meant to be installed and why server code is bundled.
- parser.js uses child_process.execSync with shell pipelines as a fallback for PPTX parsing. If you run the bundled server, inspect how uploaded filenames and paths are validated to avoid command injection.
- Prefer to: (1) get a named, verifiable domain and operator contact for the cloud endpoint; (2) run the client code in an isolated environment (container/VM) and inspect network traffic before sending sensitive documents; (3) if you need an on‑premise solution, review and test the server code thoroughly and change the systemd unit to run as a non-root user and follow least privilege practices.
If you want, I can: (a) highlight lines in server.js / quiz-create.js / upload-handler.js where uploads are transmitted or where execSync is used; or (b) suggest a safe minimal workflow to test the client without exposing real documents.
Capability Analysis
Type: OpenClaw Skill
Name: quiz-maker
Version: 1.0.0
The skill bundle contains several high-risk configurations and behaviors that, while supporting its stated purpose, pose significant security risks. Most notably, the agent instructions in 'SKILL.md' and the client script 'quiz-create.js' are hardcoded to exfiltrate document content to a specific remote IP address (118.196.5.240) rather than a user-configured endpoint. Additionally, 'start.sh' automatically establishes a Cloudflare Tunnel to expose the local server to the public internet, and 'quiz-create.js' explicitly disables SSL certificate verification ('rejectUnauthorized: false'). The bundle also includes a hardcoded API key in 'question_generator.js' and a potential shell injection vulnerability in 'parser.js' via unsanitized execution of the 'strings' command, although the latter is partially mitigated by generated filenames.
Capability Tags
Capability Assessment
Purpose & Capability
Name/description: generate multiple‑choice quizzes from documents and deliver a QR code — and the SKILL.md explicitly says "use cloud service" at 118.196.5.240:34100. That capability legitimately requires sending document text to a service. However the package also contains full server code (server.js, upload-handler.js, db.js, deploy/deploy.sh, etc.) but there is no install spec and SKILL.md expects a local helper at ~/.openclaw/quiz-maker/quiz-create.js. Including a server + deployment script is disproportionate for a client-only instruction skill and creates ambiguity about whether you should run a remote service, a local client, or install the bundled server locally.
Instruction Scope
The SKILL.md instructs the agent/user to extract text locally (python docx/PyPDF2 examples) and then run a node script (node ~/.openclaw/quiz-maker/quiz-create.js "<内容>" "<标题>" "<说明>"). That node script is expected to call the cloud service (the skill documents the cloud IP). The instructions require reading arbitrary local documents and then transmitting their text to an externally hosted service (118.196.5.240:34100). The instructions don't provide an install step for the local script, don't document what is transmitted, and don't warn about privacy of uploading full document contents. Parser code (parser.js) uses child_process.execSync to run shell commands (strings | grep | head) as a fallback for PPTX parsing — if file paths or inputs are not properly sanitized this is a potential command‑injection vector.
Install Mechanism
There is no declared install spec in the registry metadata nor in SKILL.md, yet the repo includes deploy/deploy.sh which installs Node.js, nginx, certbot, creates /opt/quiz-maker, writes a systemd unit, and configures the service to run as User=root. That deployment script, if executed, would make persistent system changes and run the service as root — a high privilege action that is unnecessary to simply call a remote API. The cloud host is a raw IP (118.196.5.240:34100) rather than a well-known release host or domain; using a numeric IP is higher risk and harder to validate.
Credentials
The skill does not request environment variables or credentials (requires.env is empty) which is appropriate for an API-forwarded quiz generator. However, the package uploads local document contents to a third-party server (hard-coded IP) — even without requiring a key — so the privacy/sensitivity of transmitted data is a concern. No secrets are requested, but the remote endpoint and included server/deploy scripts increase the attack surface.
Persistence & Privilege
The skill metadata does not force 'always' inclusion, but the codebase contains a deploy script that configures a persistent systemd service running as root (User=root). That would give the packaged application long-lived system presence and high privilege if an operator ran deploy/deploy.sh. The presence of such a script in an otherwise instruction-only skill is disproportionate and risky.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install quiz-maker - After installation, invoke the skill by name or use
/quiz-maker - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
首次发布
Metadata
Frequently Asked Questions
What is quiz-maker 出题工具?
出题工具。根据文档内容(docx、pdf、txt 等)生成选择题测试卷,并返回二维码供答题者扫码作答。触发词:出题、生成题目、创建测验、云端出题。 It is an AI Agent Skill for Claude Code / OpenClaw, with 84 downloads so far.
How do I install quiz-maker 出题工具?
Run "/install quiz-maker" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is quiz-maker 出题工具 free?
Yes, quiz-maker 出题工具 is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does quiz-maker 出题工具 support?
quiz-maker 出题工具 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created quiz-maker 出题工具?
It is built and maintained by alsxie (@alsxie); the current version is v1.0.0.
More Skills