← Back to Skills Marketplace
cybluesky

zhuocha

by cybluesky · GitHub ↗ · v1.3.0 · MIT-0
cross-platform ⚠ suspicious
136
Downloads
0
Stars
0
Active Installs
4
Versions
Install in OpenClaw
/install zhuocha
Description
招投标重复项目核实助手。当需要分析同一 reid 下的多条 jy_id 是否为真正重复时激活。数据源:dify_ns_re_readsource(reid分组) + dwd_bid_it_all(明细字段,5200端口) + ods_bid_content(原始正文,5100端口)。典型触发语:「找茬大师」「分析...
Usage Guidance
This skill appears to implement the duplicate-tender checking workflow described, but there are important mismatches and risky instructions you should address before installing or running it: - Implementation vs docs mismatch: SKILL.md requires reading detailed fields from dwd_bid_it_all on port 5200, but the included script reads those fields from the dify_ns_re_readsource table via the 6100 endpoint. Confirm which data source is correct and update docs or code. Also the doc admonition to avoid LEFT() in SQL contradicts the script, which uses LEFT(detail, N). - Dangerous DB operation: The documentation suggests using TRUNCATE TABLE result.dify_ns_re_result to recover from bad inserts. TRUNCATE removes all data and requires high DB privileges — do NOT run this without backups, explicit authorization, and an audit of who can perform it. Ask the author for safer remediation steps (e.g., DELETE with WHERE + logged backup, or use transactions and a staging table). - Network / auth: The script posts and queries internal HTTP endpoints (no auth in code). Confirm these endpoints require authentication and that writing to result.dify_ns_re_result is allowed for the account/service that will run the skill. If these endpoints are unauthenticated, running the skill could leak or corrupt internal data. - Testing & fixes: Run the script in a safe, isolated environment (or against a staging copy of the APIs and DB) and verify behavior. Check/fix SQL generation when 'done' set is empty to avoid malformed queries. Verify the list of jy_id written to rd is correctly formed and that the payload encoding/charset is handled safely (the docs mention Chinese punctuation problems). If you cannot validate the above with the skill author or test environment, treat this skill as untrusted and avoid running it against production/internal services.
Capability Analysis
Type: OpenClaw Skill Name: zhuocha Version: 1.3.0 The skill bundle is designed for bidding project deduplication but contains high-risk patterns, including hardcoded internal IP addresses (192.168.88.51) and SQL injection vulnerabilities. Both SKILL.md and scripts/zhuocha_finder.py construct SQL queries using string formatting with unsanitized inputs, and the instructions direct the agent to perform direct database inserts via a web API. While these capabilities appear aligned with the stated business purpose, the lack of input validation and direct internal network interaction represent significant security flaws.
Capability Assessment
Purpose & Capability
The skill claims to verify duplicate tender records using three internal data sources and to write results back to an internal result table. The SKILL.md and the Python script both target the same internal HTTP APIs on 192.168.88.51 and the same DB tables, which is consistent with the stated purpose. However, the SKILL.md insists the detailed fields must come from the dwd_bid_it_all table on port 5200, while the shipped script fetches those fields from TABLE_RE (dify_ns_re_readsource via 6100) instead of calling the 5200 API — a mismatch that indicates the implementation does not follow the documented data-source requirement.
Instruction Scope
SKILL.md instructs the agent/program to query internal HTTP APIs and to write JSON INSERTs into result.dify_ns_re_result; that matches the script. Concerns: (1) SKILL.md explicitly recommends using Python urllib and avoiding bash/curl for writing results — the included script uses requests (Python) which is fine, but the docs and code disagree on some SQL practice (SKILL.md says 'do not use LEFT() in SQL; fetch full detail and slice in Python', yet the script's get_detail uses LEFT(detail, N) in its SQL). (2) The docs state the API does not support DELETE/UPDATE and recommend TRUNCATE TABLE result.dify_ns_re_result to clear bad rows — TRUNCATE is a destructive, high-privilege operation and recommending it as the remedy is dangerous and disproportionate; the skill gives no guidance about backups, authorization, or safeguards. (3) Some SQL builders in the script can produce syntactically invalid queries when the 'done' set is empty (e.g., WHERE reid NOT IN ()), indicating fragile behavior that could produce unexpected errors or broad queries.
Install Mechanism
This is an instruction-only skill with a small Python script and no install specification. Nothing is written to disk by an installer step and no external packages are being pulled by an automated installer. Risk from install mechanism is low.
Credentials
The skill requests no environment variables or credentials, which is coherent. It does, however, perform network calls to internal IPs (192.168.88.51 on ports 5100/6100 and references 5200). Network access to internal APIs is expected for this use-case, but it means the skill will read and write internal DB data without any declared authentication. Ensure the target APIs require appropriate auth and logging; otherwise the script could read/write sensitive internal data unexpectedly.
Persistence & Privilege
The skill does not request permanent inclusion (always: false) and contains no code that modifies other skills or system-wide agent config. It writes to a result table in the target environment, which is expected functionality for this task.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install zhuocha
  3. After installation, invoke the skill by name or use /zhuocha
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.3.0
zhuocha 1.3.0 - 增强写入指导:新增明确要求仅用 Python `urllib` 写入数据库,禁止 bash/curl,避免因中文逗号切割导致错误(re_result 字段为 NULL)。 - 强化 SQL 查询建议:detail 字段禁止 SQL 截取,改为 Python 侧[:150]切片,避免兼容性问题。 - 细化多 jy_id 组处理、API 只支持 INSERT 不支持 UPDATE/DELETE 的提示。 - 输出报表格式优化,支持输出累计数量。 - 修正和充实若干常见判定模式说明,提升判别准则细致度。
v1.2.0
**Changelog for zhuocha v1.2.0** - Clarified and updated the data table usage: 明细字段 now must be queried from `dwd_bid_it_all` on port 5200, not from `dify_ns_re_readsource` (which only contains reid and jy_id). - Added explicit separation of roles for each table and endpoint in the documentation. - Enhanced instructions to always use the correct source for business fields (project information, etc.), reducing errors from referencing incomplete data. - Improved documentation to reflect the updated field sources throughout workflow explanations and examples.
v1.1.0
**Changelog for zhuocha v1.1.0** - Clarified that proj_name is only a supplementary reference—final duplication judgments must rely on project number, customer name, and procurement content from the detail field. - Added explicit instructions for handling records with invalid or empty proj_name: always check detail for confirmation. - Strengthened logic and tips for multi-jy_id groups, especially to avoid misjudgment when proj_name is invalid but grouped together. - Expanded typical non-duplicate patterns, including more cases of invalid proj_name and incorrect grouping. - Enhanced warnings and step-by-step guidance against false positives in second announcement situations (“二次公告误判”).
v1.0.0
Initial release of zhuocha: a bid project deduplication verification assistant. - Supports verification of repeated projects under the same `reid` via field and content comparison. - Outlines step-by-step judging logic using fields: title, proj_name, customer_standard_new, detail, att_ext. - Provides detailed SQL query and result writing instructions, with strict data handling requirements. - Includes tips for complex cases (e.g., multi-batch, secondary announcements, and attachments). - Offers user summary reporting and guidelines for batch operation and progress tracking.
Metadata
Slug zhuocha
Version 1.3.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 4
Frequently Asked Questions

What is zhuocha?

招投标重复项目核实助手。当需要分析同一 reid 下的多条 jy_id 是否为真正重复时激活。数据源:dify_ns_re_readsource(reid分组) + dwd_bid_it_all(明细字段,5200端口) + ods_bid_content(原始正文,5100端口)。典型触发语:「找茬大师」「分析... It is an AI Agent Skill for Claude Code / OpenClaw, with 136 downloads so far.

How do I install zhuocha?

Run "/install zhuocha" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is zhuocha free?

Yes, zhuocha is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does zhuocha support?

zhuocha is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created zhuocha?

It is built and maintained by cybluesky (@cybluesky); the current version is v1.3.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments