← Back to Skills Marketplace
ziniao-assistant
by
ziniao-open
· GitHub ↗
· v1.0.1
· MIT-0
1416
Downloads
2
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install ziniao-assistant
Description
Control Ziniao Browser via the local Ziniao bridge. On skill load or before first invoke, GET /zclaw/tools and treat returned name list as the only allowed t...
Usage Guidance
This skill appears to do what it says (talk to a local Ziniao bridge), but the SKILL.md expects an API key and a local config file while the registry metadata declares none — that's the main inconsistency. Before installing:
- Confirm whether the skill actually needs ZCLAW_API_KEY and whether that key will be read from an env var or from ~/.zclaw/config.json. If so, the metadata should list that config path and env var.
- Understand that the skill will call localhost (default http://127.0.0.1:9481). Only install if you trust the local bridge running there — a compromised local service could misuse the skill's ability to invoke tools or accept posted data.
- Ask the publisher to update metadata to declare required env vars/config paths, and to document exactly what information is read from ~/.zclaw/config.json. Prefer explicit declared requirements over implicit file reads.
- Consider running the agent in a restricted environment (or without the API key) until you confirm behavior. If you must provide ZCLAW_API_KEY, store it securely and consider limiting its privileges.
- If you are uncomfortable with the skill reading a file in your home directory or with the documented operations (download_file, get_logs, write-to-Downloads), do not install until the publisher clarifies and the metadata is corrected.
Capability Analysis
Type: OpenClaw Skill
Name: ziniao-assistant
Version: 1.0.1
The skill provides extensive browser automation capabilities via a local bridge (defaulting to 127.0.0.1:9481), including executing JavaScript (execute_script) and downloading files (download_file). It also instructs the agent to read and write API keys to a configuration file in the user's home directory (~/.zclaw/config.json). While these actions are aligned with the stated purpose of controlling the Ziniao Browser and include safety constraints like tool allowlisting and 'Stop on Blocker' logic, the combination of filesystem modification and broad browser control constitutes a high-risk capability set.
Capability Assessment
Purpose & Capability
The name and description (control the Ziniao Browser via a local Ziniao bridge) align with the instructions to GET /zclaw/tools and POST /zclaw/tools/invoke on a local base URL (default http://127.0.0.1:9481). That functionality is coherent with the stated purpose. However, the skill metadata declares no required environment variables or config paths even though the SKILL.md references ZCLAW_BASE_URL / ZINIAO_ZCLAW_BASE_URL, ZCLAW_API_KEY, and ~/.zclaw/config.json as runtime inputs — this omission is inconsistent with expected capability declarations.
Instruction Scope
The SKILL.md explicitly instructs the agent to: (1) perform network calls to the local bridge (GET and POST to /zclaw/tools endpoints), (2) read an API key from an environment variable (ZCLAW_API_KEY) or from the local file ~/.zclaw/config.json, and (3) retain an allowlist in session memory. The local network calls and session state are within scope. The instruction to read ~/.zclaw/config.json (a user home config file) is out-of-band relative to the skill metadata (which lists no required config paths) and could expose sensitive credentials; this access should have been declared. The skill also documents commands that may write/download files via the bridge (download_file) and fetch bridge logs (get_logs) — these are plausible for a browser-bridge skill but should be documented as they affect local data.
Install Mechanism
This is an instruction-only skill with no install spec and no bundled code. That minimizes disk write / remote code execution risk from the skill package itself.
Credentials
The SKILL.md expects an API key and base URL via environment variables (ZCLAW_BASE_URL / ZINIAO_ZCLAW_BASE_URL, ZCLAW_API_KEY) and a local config file (~/.zclaw/config.json) as an alternative for the API key. The registry metadata, however, declares no required env vars or required config paths. Requiring access to a local config file or API key is reasonable for this functionality, but it should be declared explicitly. The undocumented expectation to read ~/.zclaw/config.json or an env var increases the chance of unexpected credential access or leakage if the skill is installed without user awareness.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide persistence. Autonomous invocation (disable-model-invocation: false) is the platform default; it is not by itself a red flag. The skill does not request modification of other skills or system settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install ziniao-assistant - After installation, invoke the skill by name or use
/ziniao-assistant - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
**Ziniao Assistant 1.0.1 introduces dynamic tool discovery for safer, more reliable browser control.**
- On skill load or before first tool use, fetch available tools from the bridge via GET /zclaw/tools and only allow invoking tool names from this live list.
- Prevents using hallucinated or invalid tool names by always mapping user actions to names in the session's allowedTools.
- Retains static fallback allowlist for tool names only if the bridge registry cannot be reached.
- No changes to browser control capabilities or stop-on-blocker logic.
- Updated documentation for dynamic discovery, static fallback, and stricter tool invocation flow.
v1.0.0
Ziniao Assistant v1.0.0
- Initial release: allows control of Ziniao Browser via the local ZClaw bridge using a unified set of Core Tools.
- Supports listing/opening stores, navigation, page reading, clicking, input, screenshots, automation, and file/download management exclusively via `POST /zclaw/tools/invoke`.
- Enforces hard constraints: stop immediately on bridge/tool failure, no retries or follow-up actions, and no custom scripting or templates.
- Provides user-configurable API key management via conversation, environment variable, or config file for seamless authentication.
- Clear separation of valid/invalid tool names and strict usage of Core Tools only.
Metadata
Frequently Asked Questions
What is ziniao-assistant?
Control Ziniao Browser via the local Ziniao bridge. On skill load or before first invoke, GET /zclaw/tools and treat returned name list as the only allowed t... It is an AI Agent Skill for Claude Code / OpenClaw, with 1416 downloads so far.
How do I install ziniao-assistant?
Run "/install ziniao-assistant" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is ziniao-assistant free?
Yes, ziniao-assistant is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does ziniao-assistant support?
ziniao-assistant is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created ziniao-assistant?
It is built and maintained by ziniao-open (@ziniao-open); the current version is v1.0.1.
More Skills