← Back to Skills Marketplace

zhipu-image

Name: zhipu-image
Author: huangm199

by huangm199 · GitHub ↗ · v2.0.0 · MIT-0

cross-platform ⚠ suspicious

111

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install zhipu-image

Description

智谱 GLM-Image 网页端图片生成与下载。用于：检查 image.z.ai 登录态、必要时自动打开浏览器登录、抓取浏览器 Cookie、通过网页接口生成图片并下载到本地。适用于“用智谱生图”“生成一张图并保存/发送”“检查智谱登录状态”“自动打开智谱登录页”等场景。

Usage Guidance

This skill will capture your browser session cookies for image.z.ai (it uses Chrome DevTools Protocol on port 18800) and save them as a plaintext JSON session file in your user home directory. Those cookies can grant access to your account, so only use this on a machine you trust. Note also: the code is Windows-oriented (uses USERPROFILE and start with cmd.exe) despite no OS restriction in metadata; if you're on macOS/Linux it likely won't work without modification. There's an odd fallback require path (an absolute path to another user's workspace) in zhipu_api.js — likely leftover developer code; it won't necessarily be malicious but is a red flag you may want to inspect. Before installing: review the JS source yourself, run npm install in an isolated environment (or a VM/container), ensure you understand and are comfortable with storing cookies in ~/.zhipu_image_session.json (or USERPROFILE), and consider manually exporting cookies rather than auto-capture if you have security concerns. After use, delete the session file if you no longer want stored credentials.

Capability Analysis

Type: OpenClaw Skill Name: zhipu-image Version: 2.0.0 The skill automates image generation by extracting session cookies from a browser using the Chrome Remote Debugging Protocol (CDP) on port 18800, which is a high-risk method for session management. A notable indicator of poor practice or environment-specific targeting is found in `scripts/zhipu_api.js`, which contains a hardcoded absolute path to a specific user's directory (`C:\Users\huang\...`) for loading dependencies. While the data flow appears limited to the target service (image.z.ai), the combination of cookie scraping and hardcoded local paths makes this bundle suspicious.

Capability Assessment

ℹ Purpose & Capability

The name/description (web login-based image generation for image.z.ai) align with the code: it captures browser cookies, probes image.z.ai endpoints, generates images, and saves files. However the SKILL.md and code disagree about session file location (SKILL.md says ~/.zhipu_image_session.json; code writes to USERPROFILE on Windows). The skill also implicitly requires a browser with remote debugging port 18800 and a Node runtime, but metadata did not declare these as required binaries/configs.

ℹ Instruction Scope

The SKILL.md explicitly instructs the agent to capture browser login state, open the login page, and save cookies; the code implements this. This scope is within the described purpose. Important caveat: capturing cookies means collecting session tokens (sensitive data). The code also includes a network monitor helper for reverse-engineering web requests; that is reasonable for maintenance but broad in that it inspects network traffic when used.

✓ Install Mechanism

No remote downloads or extract steps are present. Dependencies are standard npm packages (chrome-remote-interface) declared in package.json / package-lock.json. There is no install spec in the skill bundle, so the risk surface is limited to included JS files and any npm install the user runs locally.

⚠ Credentials

The skill does not request environment variables or external credentials, but it programmatically captures browser cookies (sensitive session tokens) via Chrome DevTools Protocol on port 18800 and stores them plaintext in a session file in the user's home directory. Capturing and storing cookies is proportionate to a web-login approach, but it is privacy-sensitive and should be explicit to the user. Additional issues: hard-coded use of process.env.USERPROFILE (Windows) and an unconditional dependency on a browser remote debugging port are not declared in metadata.

✓ Persistence & Privilege

The skill does not request always:true, does not modify other skills, and only stores its own session file in the user's home directory. It opens the browser (via cmd.exe/start) and may wait for user login, which are normal behaviors for a web-login helper.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install zhipu-image
After installation, invoke the skill by name or use /zhipu-image
Provide required inputs per the skill's parameter spec and get structured output

Version History

v2.0.0

2.0: fix local login/session workflow, improve image generation flow, refresh packaging for current workspace

v1.0.0

Initial release: session-aware image.z.ai login flow, automatic browser login, and prompt-to-image download helper.

Metadata

Slug zhipu-image

Version 2.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 2

Frequently Asked Questions

What is zhipu-image?

智谱 GLM-Image 网页端图片生成与下载。用于：检查 image.z.ai 登录态、必要时自动打开浏览器登录、抓取浏览器 Cookie、通过网页接口生成图片并下载到本地。适用于“用智谱生图”“生成一张图并保存/发送”“检查智谱登录状态”“自动打开智谱登录页”等场景。 It is an AI Agent Skill for Claude Code / OpenClaw, with 111 downloads so far.

How do I install zhipu-image?

Run "/install zhipu-image" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is zhipu-image free?

Yes, zhipu-image is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does zhipu-image support?

zhipu-image is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created zhipu-image?

It is built and maintained by huangm199 (@huangm199); the current version is v2.0.0.

More Skills