← 返回 Skills 市场
nathan-deepmm

Church Account

作者 nathan-deepmm · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
586
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install church-account
功能描述
Automate tasks on churchofjesuschrist.org and LCR (Leader & Clerk Resources). Use when logging into LDS church accounts, looking up ward/stake rosters, manag...
使用说明 (SKILL.md)

Church Account (LDS/LCR)

Automate login and tasks on churchofjesuschrist.org.

Login

OAuth Flow

The church uses OAuth via id.churchofjesuschrist.org. Any protected page redirects to login:

  1. Enter username → click Next
  2. Enter password → click Verify
  3. Redirects back to target page with session cookies

No MFA or CAPTCHA is typically required. Playwright + playwright-stealth handles it cleanly.

Credentials

Store in a password vault or environment variables:

  • Username (church account email or membership ID)
  • Password

Login with Playwright

import asyncio
from playwright.async_api import async_playwright
from playwright_stealth import Stealth

async def login(target_url="https://lcr.churchofjesuschrist.org", cookies_path="/tmp/church_cookies.json"):
    async with async_playwright() as p:
        browser = await p.chromium.launch(
            headless=True,
            args=["--no-sandbox", "--disable-blink-features=AutomationControlled", "--disable-dev-shm-usage"]
        )
        context = await browser.new_context(
            viewport={"width": 1920, "height": 1080},
            user_agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 ..."
        )
        page = await context.new_page()
        await Stealth().apply_stealth_async(page)
        await page.goto(target_url)

        # Enter username
        await page.fill('input[name="identifier"]', USERNAME)
        await page.click('button[type="submit"]')

        # Enter password
        await page.wait_for_selector('input[type="password"]')
        await page.fill('input[type="password"]', PASSWORD)
        await page.click('button[type="submit"]')

        # Wait for redirect
        await page.wait_for_url(f"{target_url}/**", timeout=30000)

        # Save session
        await context.storage_state(path=cookies_path.replace('.json', '_state.json'))
        await browser.close()

Reusing a Session

After login, use saved storage state to skip re-authentication:

context = await browser.new_context(
    storage_state="/tmp/church_cookies_state.json",
    viewport={"width": 1920, "height": 1080},
    user_agent="Mozilla/5.0 ..."
)
page = await context.new_page()
await Stealth().apply_stealth_async(page)

Key URLs

Service URL
LCR (Leader & Clerk Resources) https://lcr.churchofjesuschrist.org
Ward Directory https://directory.churchofjesuschrist.org
Calendar https://www.churchofjesuschrist.org/calendar
Donations https://donations.churchofjesuschrist.org
Temple Reservations https://tos.churchofjesuschrist.org
My Home https://www.churchofjesuschrist.org/my-home
Account Settings https://id.churchofjesuschrist.org/account

LCR Sections

After login, LCR provides access to:

  • Membership — member records, move-in/out, new members
  • Callings — current callings, sustaining, setting apart
  • Ministering & Welfare — assignments, needs
  • Finance — tithing settlement, budget, donations
  • Missionary — full-time and ward missionaries
  • Temple — recommend status, temple activity
  • Reports — attendance, quarterly reports

Tips

  • Login sessions persist via cookies — no need to re-login every request
  • Headless Chrome with playwright-stealth avoids detection
  • Storage state files contain auth tokens — treat as sensitive
安全使用建议
This skill appears to be what it says (automating LDS/LCR website tasks) but it has several red flags you should consider before installing or running it: - Missing declarations: The SKILL.md expects Python, Playwright, playwright-stealth, and a Chromium browser but the skill metadata lists no required binaries or install steps. Verify and install these dependencies from official sources yourself rather than trusting an unknown installer. - Credentials handling: The code expects USERNAME and PASSWORD but the skill does not declare required environment variables. Do not put credentials into plaintext env variables or world-readable /tmp files. Use a secure password vault and inject secrets at runtime if possible. - Sensitive persistence: The skill saves storage_state (auth tokens/cookies) to disk. Those files are equivalent to logged-in sessions—store them encrypted, restrict file permissions, and delete when no longer needed. - Sandbox/stealth flags: The recommended browser arguments include --no-sandbox and stealth techniques intended to evade detection. --no-sandbox reduces process isolation and increases risk if you run this on a shared or untrusted host. Prefer running automation in an isolated, single-tenant environment (e.g., a disposable VM or container) and avoid --no-sandbox unless you understand the risk. - Source trust: The source/homepage is unknown. Only run this skill if you trust the author or can inspect and control the code that will run. If you plan to use it, prefer copying the provided code into a controlled repo, lock dependencies to known good versions, and review any third-party libraries (playwright-stealth implementations can be unvetted). If you want to proceed safely: obtain the dependencies from official registries, run the automation in an isolated container/VM, keep credentials in a vault and inject at runtime, secure storage_state files, and remove or avoid using --no-sandbox and other flags that weaken sandboxing.
功能分析
Type: OpenClaw Skill Name: church-account Version: 1.0.0 The skill is classified as suspicious due to significant security vulnerabilities. It stores sensitive authentication tokens in a world-writable `/tmp/church_cookies_state.json` file, which could lead to local information disclosure. Additionally, it uses the `--no-sandbox` argument for Playwright, weakening the browser's security posture and increasing the risk of compromise if the browser engine is exploited. While the skill's stated purpose is legitimate, these insecure practices in SKILL.md represent critical vulnerabilities rather than direct malicious intent.
能力评估
Purpose & Capability
The name/description and SKILL.md are coherent: both describe automating churchofjesuschrist.org/LCR tasks via a browser automation flow. However, the skill fails to declare the real runtime requirements (Python, Playwright, playwright-stealth, and a Chromium browser), which is an inconsistency.
Instruction Scope
Instructions explicitly tell the agent how to perform OAuth login, manage sessions, and persist storage_state (auth tokens) to disk. They also recommend using playwright-stealth and pass browser args including --no-sandbox and --disable-blink-features=AutomationControlled to avoid detection. Saving storage_state and cookies to /tmp and using stealth flags broaden the sensitive scope and weaken sandbox protections; the instructions give the agent discretion over sensitive items without safe-handling specifics.
Install Mechanism
There is no install spec (instruction-only), which minimizes installer risk, but the runtime code requires Playwright, playwright-stealth, and Chromium. Those are not declared in metadata; a user would need to install them manually. The absence of an install spec plus required binaries is an operational mismatch to be aware of.
Credentials
SKILL.md expects credentials (USERNAME, PASSWORD) and suggests storing them in a vault or env vars, but requires.env and primary credential are empty. Sensitive artifacts (storage_state JSON) are written to /tmp with no guidance on encryption/permissions. Requesting credential usage without declaring them is disproportionate and risky.
Persistence & Privilege
The skill does not request always:true nor modify other skills. It does instruct saving persistent session state and cookies to disk which is normal for session reuse but creates long-lived sensitive artifacts; treat these files as secrets and protect them appropriately.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install church-account
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /church-account 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release
元数据
Slug church-account
版本 1.0.0
许可证
累计安装 1
当前安装数 1
历史版本数 1
常见问题

Church Account 是什么?

Automate tasks on churchofjesuschrist.org and LCR (Leader & Clerk Resources). Use when logging into LDS church accounts, looking up ward/stake rosters, manag... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 586 次。

如何安装 Church Account?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install church-account」即可一键安装,无需额外配置。

Church Account 是免费的吗?

是的,Church Account 完全免费(开源免费),可自由下载、安装和使用。

Church Account 支持哪些平台?

Church Account 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Church Account?

由 nathan-deepmm(@nathan-deepmm)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 留言讨论