← 返回 Skills 市场
yaouuu

homework-grade

作者 yaoUUU · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
124
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install homework-gader-skill
功能描述
Automatically downloads student homework from QQ email, unzips files, performs AI grading based on templates, and generates an Excel grade report.
使用说明 (SKILL.md)

📚 Homework Grader Skill\r

\r

🧠 功能简介\r

自动从QQ邮箱下载学生作业(zip),解析学生信息,基于模板进行AI评分,并生成成绩Excel。\r \r ---\r \r

🎯 使用场景\r

教师通过QQ邮箱收作业,学生按格式提交:\r \r 姓名-学号-第几次作业.zip\r \r 系统自动:\r

  1. 下载附件\r
  2. 解压作业\r
  3. 匹配模板\r
  4. AI评分 + 评语\r
  5. 生成Excel成绩表\r \r ---\r \r

📥 输入参数(Inputs)\r

\r | 参数名 | 类型 | 必填 | 说明 |\r | --------------- | ------ | ---- | ---------------------- |\r | assignment_id | int | ✅ | 作业编号(第几次作业) |\r | email_user | string | ✅ | QQ邮箱账号 |\r | email_auth_code | string | ✅ | QQ邮箱授权码 |\r \r ---\r \r

📤 输出结果(Outputs)\r

\r | 参数名 | 类型 | 说明 |\r | ---------- | ------ | ------------------- |\r | excel_path | string | 生成的成绩Excel路径 |\r \r ---\r \r

⚙️ 执行流程(Workflow)\r

\r

1. 连接QQ邮箱(IMAP)\r
2. 获取未读邮件附件\r
3. 筛选zip文件\r
4. 解析文件名(姓名-学号-作业)\r
5. 解压文件\r
6. 加载对应作业模板\r
7. 调用AI评分\r
8. 汇总成绩\r
9. 生成Excel
安全使用建议
This skill mostly does what it says, but there are several red flags you should resolve before using it with real student data or credentials: - Undeclared OpenAI usage: The grader reads student code and calls OpenAI via OPENAI_API_KEY, but that key is not declared in the skill metadata and not listed in requirements.txt. Ask the author to declare OPENAI_API_KEY as a required credential and add the openai package to requirements. - External data exfiltration: Student source files are sent to an external AI provider (OpenAI). If student code is sensitive/personal, obtain consent or avoid sending it externally. - Executing untrusted code: The skill runs student .py files with subprocess.run. This can run arbitrary malicious code. Only run in an isolated, ephemeral sandbox/container with no sensitive network/filesystem access. - Unsafe zip extraction: zip_ref.extractall is used without sanitizing paths (zip-slip). Ensure filenames are sanitized or extract inside a strict sandbox. - Missing templates/resources: template_manager returns templates/assignment_{id}, but no templates are bundled. Confirm where templates come from and ensure they are trustworthy. Recommended actions before installing or running: 1) Require the author to update skill.yaml to declare OPENAI_API_KEY and add openai to requirements.txt; document that student code will be sent to OpenAI. 2) Run the skill in a locked-down container or VM (no network or limited network) until you validate behavior. 3) Inspect or provide the templates directory, and consider local-only grading if you cannot allow external AI calls. 4) Patch code to validate zip entries and avoid path traversal; do not run student code on the host—use sandboxing/time/resource limits and consider static analysis instead of execution. 5) If you must use it, use a throwaway QQ account and rotate its auth code afterwards. Given these gaps and risky behaviors, treat the skill as suspicious until the author addresses the above points.
功能分析
Type: OpenClaw Skill Name: homework-gader-skill Version: 1.0.0 The skill bundle contains critical security vulnerabilities that facilitate Remote Code Execution (RCE) and file system compromise. Specifically, `modules/grader.py` implements a function to execute arbitrary Python code from untrusted email attachments using `subprocess.run`, and `modules/extractor.py` uses `zip_ref.extractall()` without path validation, making it vulnerable to Zip Slip attacks. While these functions appear intended for automated homework grading, the lack of sandboxing or input sanitization allows an external attacker (via email) to execute malicious code on the agent's host system.
能力评估
Purpose & Capability
The code implements the advertised functionality (IMAP download from QQ, unzip, AI grading, Excel output). However, the implementation requires an OpenAI API key (OPENAI_API_KEY) and expects local template files, neither of which are declared in the skill metadata (requires.env is empty and templates are not bundled). requirements.txt omits the openai client. These are legitimate needs for AI grading but should be declared; omission is an incoherence.
Instruction Scope
The instructions say '调用AI评分' but do not disclose that the full student code will be sent to an external AI provider. The code reads all .py files and sends them to OpenAI. The skill also writes attachments to disk, extracts zip archives with zip_ref.extractall (no sanitization), and executes student .py files via subprocess.run — all of which expose the environment to untrusted input. The SKILL.md does not warn about these behaviors or recommend sandboxing.
Install Mechanism
There is no install spec (instruction-only in registry), but the bundle includes code and a requirements.txt. requirements.txt lists pandas and openpyxl but omits the openai dependency required by the code. This mismatch means the runtime may fail or the operator may implicitly install additional packages, which increases risk.
Credentials
The skill accepts email_user and email_auth_code as inputs (appropriate for IMAP access). However, the ai_grader module expects OPENAI_API_KEY via environment variable but the skill metadata does not declare this credential. That omission is significant because student source code will be sent to a third-party API using that key. No other unrelated credentials are requested, but the undeclared API key and unannounced external transmission are disproportionate to what the SKILL.md communicates.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It stores files under data/... within the skill workspace. Persistence and privilege level are reasonable for the task, but combined with execution of untrusted code this still poses runtime risk.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install homework-gader-skill
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /homework-gader-skill 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
可以改作业
元数据
Slug homework-gader-skill
版本 1.0.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

homework-grade 是什么?

Automatically downloads student homework from QQ email, unzips files, performs AI grading based on templates, and generates an Excel grade report. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 124 次。

如何安装 homework-grade?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install homework-gader-skill」即可一键安装,无需额外配置。

homework-grade 是免费的吗?

是的,homework-grade 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

homework-grade 支持哪些平台?

homework-grade 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 homework-grade?

由 yaoUUU(@yaouuu)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论