← Back to Skills Marketplace
207
Downloads
0
Stars
1
Active Installs
3
Versions
Install in OpenClaw
/install zhipu-tools-coding-plan
Description
智谱 AI 原生工具 - 网络搜索、网页读取、仓库文档搜索和文件解析。基于 Z.AI Coding Plan MCP 端点,全部免费使用。
Usage Guidance
This skill appears to implement what it claims (web search, webpage reading, repo search, file parsing) by calling Z.AI MCP endpoints and a legacy bigmodel API. Important things to consider before installing:
- The registry metadata does NOT list required env vars, but the code and README require ZHIPU_API_KEY (and optionally ZHIPU_USE_MCP). Do not assume no credentials are needed — the API key is required.
- File parsing uploads the specified document to open.bigmodel.cn (legacy endpoint). Do NOT upload sensitive or confidential documents unless you trust that remote service and its privacy policy.
- All network requests (searches, readers, zread) send data (queries, URLs, repo/file identifiers, and potentially file contents) to external services (api.z.ai and open.bigmodel.cn). If you need strict data residency or confidentiality, avoid using this skill.
- Verify the skill source/trustworthiness (author repository, signatures). The package lists a GitHub clone URL in README; prefer installing from an official/trusted source rather than an unknown registry owner when possible.
- Before giving a real API key, test in an isolated account or with limited-scope key. Check openclaw.json and ensure you do not commit API keys to source control.
Because of the metadata omission about required env vars and the fact the skill will transmit user files to external endpoints, take precautions (review origin, limit API key scope, avoid uploading sensitive files). If the publisher/source is verified and you accept the privacy tradeoffs, the skill is functionally coherent.
Capability Analysis
Type: OpenClaw Skill
Name: zhipu-tools-coding-plan
Version: 1.2.1
The skill bundle provides legitimate integration with Zhipu AI's MCP and Legacy APIs for web searching, webpage reading, and file parsing. However, it is classified as suspicious due to several security vulnerabilities and high-risk capabilities: the shell scripts (web_search.sh, web_reader.sh, and zread.sh) construct JSON payloads using direct string interpolation of user-provided arguments, making them vulnerable to JSON injection. Additionally, the file_parser.sh script uploads local files to a remote third-party endpoint (open.bigmodel.cn), which is a high-risk behavior, although it is the stated purpose of the tool. No evidence of intentional malice or hidden data exfiltration was found.
Capability Tags
Capability Assessment
Purpose & Capability
Name/description align with included scripts and Python client that call Z.AI Coding Plan (MCP) and a legacy bigmodel endpoint for file parsing and repo searches. The functionality requested by the code (web search, web reader, zread, file parser) is coherent with the stated purpose.
Instruction Scope
Runtime instructions and scripts limit actions to calling external MCP/legacy APIs and reading local files when explicitly requested (file parser). However, the file parser and other calls will upload document contents and remote-fetch URLs to external services (open.bigmodel.cn and api.z.ai), so sensitive content can be transmitted off-host — this is expected for a parser/reader but is a privacy/security consideration the user must accept.
Install Mechanism
There is no install spec; the skill is distributed as scripts and a Python file that run in-place. No download-from-unknown-URL or packaging step was specified. The included files use standard curl/requests and shell helpers.
Credentials
The code and SKILL.md require a ZHIPU_API_KEY (and optionally ZHIPU_USE_MCP) but the registry metadata reported 'Required env vars: none' — this mismatch is an incoherence that could mislead users. The number and types of env vars requested themselves are proportionate for the described service (an API key), but the package should declare them explicitly. Also note that providing the API key enables network calls that will transmit user-provided documents/URLs to third-party endpoints.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system configs, and runs only when invoked. It does not embed autonomous escalation privileges beyond normal agent invocation.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install zhipu-tools-coding-plan - After installation, invoke the skill by name or use
/zhipu-tools-coding-plan - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.1
Version 1.2.1
- Updated _meta.json file.
- No changes to core functionality or documentation in SKILL.md.
v1.2.0
fix: 修复 zread 参数名(repo→repo_name, path→dir_path)、_extract_mcp_text 返回类型、SSL 重试、formatter 双层 JSON 解析
v1.1.0
v1.1.0 - 接入 Web Reader、Zread MCP,slug 改为 coding-plan
Metadata
Frequently Asked Questions
What is Zhipu Tools Coding Plan?
智谱 AI 原生工具 - 网络搜索、网页读取、仓库文档搜索和文件解析。基于 Z.AI Coding Plan MCP 端点,全部免费使用。 It is an AI Agent Skill for Claude Code / OpenClaw, with 207 downloads so far.
How do I install Zhipu Tools Coding Plan?
Run "/install zhipu-tools-coding-plan" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Zhipu Tools Coding Plan free?
Yes, Zhipu Tools Coding Plan is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Zhipu Tools Coding Plan support?
Zhipu Tools Coding Plan is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Zhipu Tools Coding Plan?
It is built and maintained by wnzzer (@wnzzer); the current version is v1.2.1.
More Skills