← Back to Skills Marketplace

清华网络学堂自动化

Name: 清华网络学堂自动化
Author: tomuiv

by TOMUIV · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install tsinghua-learn

Description

自动登录清华网络学堂，查看待办事项，下载课件，提交作业，并批量标记课件已读，支持无人值守操作。

Usage Guidance

Key points to consider before installing or running this skill: - Sensitive data storage: The skill expects your Learn credentials and stores them in credentials.json in cleartext. If you provide your real student account, those credentials will exist on disk and could be read by other processes or backups. Consider using a dedicated/throwaway account instead of your primary account. - Persistent cookies & unattended access: The scripts persist session cookies, a browser Profile, and fingerprint info so the skill can operate without you. That gives long-lived access to your Learn account. If you stop trusting the skill, you must remove credentials.json, sessions/*.json, and the profiles/ directory to revoke access. - Mixed/absolute paths: Several scripts reference absolute Windows paths (C:\Users\TOM\..., D:\testclaw\...), while others use relative skill paths. This is a packaging bug but also a risk: data may be written to or read from unexpected locations. Before running, inspect and correct these paths so all state stays inside the skill folder (sessions/, profiles/). Grep for 'D:\' and 'C:\Users\TOM' and fix them. - Playwright download: Running the included install_playwright.py or the Playwright-based login scripts will download Chromium via Playwright. This is expected but will pull binaries from the internet. - SKILL.md vs code mismatch: The documentation claims the bot will create credentials.json automatically; in reality _config.load_credentials errors if the file is missing. You will likely need to create credentials.json manually or modify code to prompt securely. Practical steps: 1) Do not run this on a machine with sensitive data or on a production account. Prefer a VM/container or an isolated test account. 2) Inspect and (preferably) edit credentials.json handling: remove hardcoded paths, ensure the file lives under the skill directory, and consider encrypting the credentials if you must store them. 3) After any run, delete credentials.json, sessions/learn_session.json, profiles/learn_profile/ and any fingerprint files to revoke persistent access. 4) If you are not comfortable editing code, do not provide your primary account credentials—use a separate account. 5) If possible, prefer a supervised workflow (run login_supervised.py once interactively) and then delete credentials.json and profile data once session is established; or avoid unattended operation entirely. Because of the packaging inconsistencies and the risk of long-lived credential artifacts, treat this skill as suspicious until the absolute-path issues are resolved and credential handling is hardened.

Capability Analysis

Type: OpenClaw Skill Name: tsinghua-learn Version: 1.0.0 The skill bundle automates access to the Tsinghua University 'Learn' platform but exhibits several high-risk security practices. It explicitly instructs the AI agent to collect and store plaintext student credentials in 'credentials.json' and session tokens in 'learn_session.json'. Critically, 'learn_api.py' disables SSL certificate verification (verify=False), exposing users to man-in-the-middle (MITM) attacks. Additionally, multiple scripts (e.g., 'check_kj_unread.py', 'todos_dom.py', and '_config.py') contain hardcoded absolute file paths to a specific user's environment ('C:\Users\TOM\...' and 'D:\testclaw\...'), which is highly irregular for a portable skill and suggests it was extracted from a specific compromised or development machine.

Capability Assessment

ℹ Purpose & Capability

Overall the code implements the stated purpose (login, check todos, download files, submit/mark as read, Playwright-based supervised + auto login). Requesting a username/password and storing session cookies is expected for this functionality. However several files use hardcoded absolute paths (e.g., C:\Users\TOM\... and D:\testclaw\...) that do not align with the SKILL.md's described local layout and the rest of the scripts that use relative skill paths; this mismatch is unexpected and may cause files to be written/read outside the skill directory.

⚠ Instruction Scope

SKILL.md claims the bot will 'automatically create credentials.json' and that credentials are asked interactively, but _config.load_credentials actually requires credentials.json to exist (it raises if missing). The skill persists session cookies, browser profile, and fingerprint data to disk and instructs the user to perform a one-time supervised browser trust step; this grants the skill long-lived access to the user's Learn account. Several scripts reference absolute system paths (both C:\ and D:\) which broaden the file I/O footprint beyond the declared skill directory. These behaviors go beyond a simple read-only 'helper' and include persistent state and sensitive data storage.

ℹ Install Mechanism

There is no formal install spec, but the bundle includes an install_playwright.py helper which runs 'python -m playwright install chromium' and will download browser binaries at runtime. Using Playwright is reasonable for browser automation, but it results in large external downloads and executable components being installed when scripts are run—something to be aware of.

⚠ Credentials

The skill does not declare environment variables, but requires a plaintext credentials.json containing username/password. That is necessary for automated login but is high-risk: credentials are stored on disk in cleartext. Additionally, some modules reference a fingerprint file and session files at absolute locations (e.g., FINGERPRINT_FILE = 'D:\testclaw\learn_fingerprint.json' and SESSION_FILE = 'D:\testclaw\learn_session.json' inside learn_api.py), which is disproportionate and inconsistent with other scripts that use the skill's own sessions/ and profiles/ directories. This could cause sensitive data to be read from or written to unexpected system locations.

⚠ Persistence & Privilege

The skill persistently stores cookies, XSRF tokens, browser profile data and fingerprint JSON and relies on those to perform 'unattended' logins. While this matches the stated unattended operation, it grants the skill ongoing access to the user's account and a long-lived credential-like artifact on disk. always:false (normal), but autonomous invocation plus persistent session files increases the blast radius if the skill or host is compromised. The SKILL.md also enforces a single profile directory (profiles/learn_profile/) and forbids scattering files elsewhere, but the code's absolute paths violate that.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install tsinghua-learn
After installation, invoke the skill by name or use /tsinghua-learn
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release: login, todos, download kj, submit hw, mark read

Metadata

Slug tsinghua-learn

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is 清华网络学堂自动化?

自动登录清华网络学堂，查看待办事项，下载课件，提交作业，并批量标记课件已读，支持无人值守操作。 It is an AI Agent Skill for Claude Code / OpenClaw, with 61 downloads so far.

How do I install 清华网络学堂自动化?

Run "/install tsinghua-learn" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is 清华网络学堂自动化 free?

Yes, 清华网络学堂自动化 is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does 清华网络学堂自动化 support?

清华网络学堂自动化 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created 清华网络学堂自动化?

It is built and maintained by TOMUIV (@tomuiv); the current version is v1.0.0.

More Skills