功能描述

Interact with I'm Pretty Amazing (imprettyamazing.com) — a platform for tracking and celebrating accomplishments. Use when: posting wins, tracking achievemen...

使用说明 (SKILL.md)

I'm Pretty Amazing

Name: I'm Pretty Amazing
Author: macksmind

Interact with imprettyamazing.com to track accomplishments.

First-Time Setup

On first use, check TOOLS.md for an ### I'm Pretty Amazing section.

Persisted auth data should include cookie values and JWT expiry metadata so auth can be reused until expiration:

### I'm Pretty Amazing
- **Username:** their-username (optional)
- **Access Token Cookie:** eyJhbGciOi...
- **Refresh Token Cookie:** eyJhbGciOi... (optional but recommended)
- **Access Token Expires At (UTC):** 2026-03-21T03:04:46Z

Token handling:

Never commit token values to git-tracked files.
Never print full session token values (access_token, refresh_token) in chat responses or logs. One-time verification codes from email are safe to paste in chat since they expire on use.

If auth cookies are missing or expired:

Ask the user: "Do you have an I'm Pretty Amazing account, or should I create one?"
New account: Collect username, email, and password → POST /auth/register. Remind them to verify their email. If they want in-chat help, ask them to paste the verification token (or tokenized verification URL) from their email, then call POST /auth/verify-email with that token.
Existing account: Continue.
Before asking for credentials, tell the user: "I'll need your email and password to log in. They'll be sent directly to the I'm Pretty Amazing API and won't be stored." Then prompt for email and password.
Call POST /auth/login.
If login fails, re-prompt for email/password.
After successful login, ask the user: "Want me to save your session tokens so you stay logged in for future requests? They'll be stored in plaintext in TOOLS.md and expire automatically. Decline if others can access your TOOLS.md." If they agree, persist access_token, refresh_token (if present), and access-token expiry in TOOLS.md. If they decline, use the cookie file for this session only.
Never persist email/password in TOOLS.md.
Reuse persisted auth cookies until the stored access-token expiry time.

Never hardcode credentials in commands.

Authentication Pattern (follow exactly)

Session cookies are required for most endpoints.

No-login endpoints:

POST /auth/register
POST /auth/login
POST /auth/forgot-password
POST /auth/reset-password
POST /auth/verify-email

Cookie-auth endpoints:

POST /auth/resend-verification
GET /auth/me
All wins, comments, likes, follows, blocks, profile, feed, and feedback endpoints

For cookie-auth endpoints, follow these steps:

Step 0 — Reuse persisted auth if still valid (preferred):

Read persisted Access Token Cookie (and Refresh Token Cookie if available) from TOOLS.md.
Verify that Access Token Cookie is present and Access Token Expires At (UTC) is a valid ISO 8601 timestamp (YYYY-MM-DDTHH:MM:SSZ). If either is missing or malformed, continue to Step 1.
If Access Token Expires At (UTC) is in the future, rebuild a cookie jar from those values and use that jar for requests.
If expired, continue to Step 1.

Canonical cookie-jar rebuild snippet (substitute persisted values from TOOLS.md):

IPA_COOKIE_FILE="/tmp/ipa-cookies-$$.txt"

ACCESS_TOKEN="\x3CAccess Token Cookie from TOOLS.md>"
REFRESH_TOKEN="\x3CRefresh Token Cookie from TOOLS.md>"

cat > "$IPA_COOKIE_FILE" \x3C\x3CEOF
# Netscape HTTP Cookie File
.imprettyamazing.com	TRUE	/	TRUE	0	access_token	$ACCESS_TOKEN
.imprettyamazing.com	TRUE	/	TRUE	0	refresh_token	$REFRESH_TOKEN
EOF

If Refresh Token Cookie is unavailable, omit the REFRESH_TOKEN assignment and the refresh_token line.

Step 1 — Login (do this once, before any other calls):

IPA_COOKIE_FILE="/tmp/ipa-cookies-$$.txt"

curl -s -X POST https://api.imprettyamazing.com/auth/login \
  -H 'Content-Type: application/json' \
  -d '{"email":"EMAIL","password":"PASSWORD"}' \
  -c "$IPA_COOKIE_FILE"

The -c flag saves auth cookies (access_token and refresh_token) to the cookie file.

After login, extract cookie values. If the user opted in to session persistence (see First-Time Setup step 7), persist them to TOOLS.md with access-token expiry (from JWT exp).

Canonical cookie extraction snippet (from curl cookie jar):

ACCESS_TOKEN="$(awk '$6=="access_token" {print $7}' "$IPA_COOKIE_FILE" | tail -n 1)"
REFRESH_TOKEN="$(awk '$6=="refresh_token" {print $7}' "$IPA_COOKIE_FILE" | tail -n 1)"

test -n "$ACCESS_TOKEN" || { echo "Missing access_token in cookie jar"; exit 1; }

Canonical expiry extraction snippet (from access_token):

# ACCESS_TOKEN should be the cookie value only (no "access_token=" prefix)
ACCESS_TOKEN="..."

ACCESS_TOKEN_EXPIRES_AT_UTC="$(python3 - \x3C\x3C'PY'
import base64, json, os
token = os.environ["ACCESS_TOKEN"]
payload = token.split('.')[1]
payload += '=' * (-len(payload) % 4)
data = json.loads(base64.urlsafe_b64decode(payload.encode()).decode())
from datetime import datetime, timezone
print(datetime.fromtimestamp(data['exp'], tz=timezone.utc).strftime('%Y-%m-%dT%H:%M:%SZ'))
PY
)"

echo "$ACCESS_TOKEN_EXPIRES_AT_UTC"

Persist ACCESS_TOKEN_EXPIRES_AT_UTC as Access Token Expires At (UTC) in TOOLS.md. Persist ACCESS_TOKEN as Access Token Cookie and REFRESH_TOKEN (if present) as Refresh Token Cookie.

Step 2 — Make API calls (reuse the cookie file):

curl -s https://api.imprettyamazing.com/wins/my-wins \
  -b "$IPA_COOKIE_FILE"

Use -b "$IPA_COOKIE_FILE" on every cookie-auth request.

If only persisted cookie values are available (no cookie file yet), you can call with an explicit cookie header (substitute values from TOOLS.md):

curl -s https://api.imprettyamazing.com/wins/my-wins \
  -H "Cookie: access_token=\x3CAccess Token Cookie from TOOLS.md>; refresh_token=\x3CRefresh Token Cookie from TOOLS.md>"

Step 3 — Handle expired sessions: If any call returns {"statusCode": 401, ...}:

Prompt again for email/password (session-only).
Call POST /auth/login again and overwrite the cookie file with -c.
Re-extract cookies from IPA_COOKIE_FILE. If session persistence was previously opted in, update access_token, refresh_token, and Access Token Expires At (UTC) in TOOLS.md.
Retry the failed call.

Rules:

Never store email/password in TOOLS.md.
Always send -b "$IPA_COOKIE_FILE" for cookie-auth endpoints.
Use a unique cookie filename per session to avoid conflicts.
Reuse persisted auth cookies until access-token expiry, then re-login.
If cookies are missing or invalid, prompt for email/password and re-login.
Cookies may contain JWT-based tokens (for example access_token), but authentication is performed by sending cookies.

Confirmation Before Mutations

Before any state-changing action, get explicit user confirmation. This includes:

POST, PATCH, and DELETE calls (for example creating/updating/deleting wins, comments, follows, blocks, profile updates, feedback)
Account creation via POST /auth/register

Read-only GET requests do not require additional confirmation.

API Notes

All endpoints use JSON (Content-Type: application/json) except POST /profile/avatar and POST /profile/cover (multipart form data for file uploads).
Success responses vary by endpoint (single object, list with pagination, or empty body such as some DELETE responses).
Errors return: {"statusCode": \x3Ccode>, "message": {"message": [...], "error": "...", "statusCode": \x3Ccode>}}. Always check for statusCode in the response.

Posting a Win

Login first (see Authentication Pattern above), then:

IPA_COOKIE_FILE="/tmp/ipa-cookies-$$.txt"

curl -s -X POST https://api.imprettyamazing.com/wins \
  -b "$IPA_COOKIE_FILE" \
  -H 'Content-Type: application/json' \
  -d '{"content":"Your win here","type":"PERSONAL","visibility":"PUBLIC"}'

# Success response:
# {"id":"...","content":"Your win here","type":"PERSONAL","visibility":"PUBLIC","status":"APPROVED",...}
#
# Error response:
# {"statusCode":400,"message":{"message":["content should not be empty"],"error":"Bad Request","statusCode":400}}

STAR Format

Wins can optionally include a STAR (Situation, Task, Action, Result) breakdown. Pass a starFormat object when creating or updating a win.

All four fields are required when starFormat is provided — omitting any field returns a 500 error.

curl -s -X POST https://api.imprettyamazing.com/wins \
  -b "$IPA_COOKIE_FILE" \
  -H 'Content-Type: application/json' \
  -d '{
    "content": "Your win here",
    "type": "PROFESSIONAL",
    "visibility": "PUBLIC",
    "tags": ["tag1", "tag2"],
    "starFormat": {
      "situation": "What was the context or challenge?",
      "task": "What needed to be done?",
      "action": "What did you do?",
      "result": "What was the outcome?"
    }
  }'

STAR format can also be added to existing wins via PATCH:

curl -s -X PATCH https://api.imprettyamazing.com/wins/:id \
  -b "$IPA_COOKIE_FILE" \
  -H 'Content-Type: application/json' \
  -d '{
    "starFormat": {
      "situation": "...",
      "task": "...",
      "action": "...",
      "result": "..."
    }
  }'

STAR Format Object Fields

id, winId, situation, task, action, result, createdAt, updatedAt

Win Types

PERSONAL, PROFESSIONAL, HEALTH, SOCIAL, CREATIVE, LEARNING

Visibility

PUBLIC (visible to all users) or PRIVATE (only visible to the poster).

Other Actions

All cookie-auth actions require -b "$IPA_COOKIE_FILE" after login. The API reference at references/api.md is the complete endpoint documentation. Read it before using any endpoint not shown above.

Update/delete wins: PATCH /wins/:id (JSON body), DELETE /wins/:id
Comments: POST /wins/:id/comments with {"content": "..."}, GET /wins/:id/comments
Likes: POST /wins/:id/like, DELETE /wins/:id/like (toggle)
Follow/unfollow: POST /follows/:userId, DELETE /follows/:userId
Profile: PATCH /profile (JSON: username, bio max 500 chars, location, website)
Avatar/cover: POST /profile/avatar (multipart avatar), POST /profile/cover (multipart cover, keep file small)
Feedback: POST /feedback with {"category": "BUG|FEATURE_REQUEST|GENERAL", "message": "...", "pageUrl": "...", "pageContext": "..."}

Clear Session

If the user asks to log out or clear their session, remove the ### I'm Pretty Amazing section from TOOLS.md and delete any /tmp/ipa-cookies-*.txt files.

Proactive Usage

When the user accomplishes something notable — ships a feature, closes a deal, solves a hard problem, learns something new — suggest posting it as a win. Draft the content and confirm before posting.

安全使用建议

This skill appears to be a straightforward API client for imprettyamazing.com, but it will ask you to provide your account email and password (sent to the service) and may ask you to paste one-time verification or reset tokens into chat. It also offers to store session cookies (access/refresh tokens) in plaintext in TOOLS.md so you stay logged in. Before installing or using the skill: (1) confirm where TOOLS.md is stored and who can read it — decline persistent storage if others have access; (2) prefer ephemeral sessions (don't allow token persistence) if you're unsure; (3) avoid pasting long-lived secrets into chat — one-time codes are lower-risk but still share-sensitive; (4) consider creating an account/password distinct from your primary accounts; and (5) if you need stronger guarantees, request a version that supports OAuth or scoped API keys rather than plaintext cookie persistence. If you want me to, I can highlight exact lines in SKILL.md that perform these actions or suggest a safer token storage workflow.

功能分析

Type: OpenClaw Skill Name: imprettyamazing Version: 0.2.4 The skill is classified as suspicious due to the instruction to store session tokens (access_token, refresh_token) in plaintext within `TOOLS.md` (as detailed in `SKILL.md`), even with a user warning. While not explicitly malicious (as it's for session tokens and disclosed to the user), this practice introduces a significant vulnerability if `TOOLS.md` is compromised. Additionally, the reliance on shell commands (`curl`, `awk`, `python3`) for API interaction and token processing, without explicit sanitization instructions for user-provided data, creates a potential for shell injection vulnerabilities if the agent directly interpolates unsanitized input into these commands.

能力评估

✓ Purpose & Capability

Name/description match the behavior: the SKILL.md and references/api.md describe how to log in, manage wins, comments, follows, etc. There are no unrelated environment variables, binaries, or install steps requested.

⚠ Instruction Scope

The runtime instructions tell the agent to read and write TOOLS.md to persist cookies and expiry metadata and to create temporary cookie files in /tmp. The registry metadata did not declare required config paths, so the SKILL.md's reliance on TOOLS.md is an unadvertised side-effect. The skill also instructs the agent to ask the user for email/password and to prompt the user to paste email verification/reset tokens into chat — both are legitimate for login flows but are privacy-sensitive operations that should be handled with care.

✓ Install Mechanism

This is an instruction-only skill with no install steps, downloads, or code files. No installation risk present.

ℹ Credentials

The skill requests no environment variables or external credentials up front, which is appropriate. However, it explicitly instructs collecting user email/password interactively and persisting access/refresh tokens (cookies) in plaintext in TOOLS.md if the user opts in. Requesting credentials for the service itself is proportionate, but persisting tokens in plaintext increases privacy risk.

ℹ Persistence & Privilege

always:false and no system-wide changes are requested. The skill does request persistent storage of session tokens in TOOLS.md (its own tool storage), which is normal for convenience but raises persistence/privacy considerations; it does not request elevated privileges or modify other skills.

版本历史

v0.2.4

- Clarified token safety: session tokens (access_token, refresh_token) should never be printed in chat or logs; one-time email verification codes are safe to paste. - Updated session token persistence notice to more explicitly warn users that tokens are saved in plaintext in TOOLS.md if persistence is enabled. - Revised language regarding chat output and credential handling for greater user clarity and security. - No functional or API flow changes; documentation and consent interactions only.

v0.2.3

imprettyamazing 0.2.3 - Added stronger privacy guidance: never commit token values to git or print full tokens in logs/results. - Clarified user prompts for login and account creation, including prior notice before requesting credentials. - Session tokens are now saved in TOOLS.md only with explicit user consent (opt-in after login); session-only logins are supported. - Improved instructions for email verification: users can paste their verification token or URL for in-chat verification support. - Refined cookie-jar rebuild and header instructions for use with persisted tokens and session files.

v0.2.2

imprettyamazing 0.2.2 changelog - Added explicit user consent before saving session tokens; tokens are now only persisted if the user agrees. - Updated login prompt to notify users that email and password are sent directly to the API and not stored. - Clarified token confidentiality: never print or commit token values. - Removed required_env_vars for tokens; tokens are now optional and only saved with user permission. - Improved instructions for session persistence, credential prompting, and re-login flow.

v0.2.1

Version 0.2.1 - Added required_env_vars (IPA_ACCESS_TOKEN, IPA_REFRESH_TOKEN, IPA_ACCESS_TOKEN_EXPIRES_AT_UTC) and required_binaries (python3) sections in SKILL.md. - Updated security and storage guidance: clarified authentication token handling, emphasized local-only persistence, and prohibited token exposure in logs or version control. - Improved first-time setup steps and user prompts for registration and verification. - Expanded notes about skill autonomy and scoping. - No behavioral changes to API request or confirmation patterns.

v0.2.0

imprettyamazing v0.2.0 - Added support for including a STAR (Situation, Task, Action, Result) format when creating or updating wins (all fields required if used). - Updated documentation to describe the new STAR format feature.

v0.1.0

Initial release of imprettyamazing skill, enabling interaction with the I'm Pretty Amazing platform. - Allows users to track and celebrate achievements, post wins, manage profile, comment/like, and give feedback. - Implements robust authentication flow with cookie management and secure token persistence. - Guides first-time setup and account creation (new or existing) with clear prompts and email verification. - Ensures session reuse by persisting auth tokens and their expiry to TOOLS.md, and handles session refresh/login as needed. - Confirms user intent before performing any state-changing actions (posting, updating, deleting). - Provides detailed usage instructions and canonical API command examples for transparency.

元数据

Slug imprettyamazing

版本 0.2.4

许可证 —

累计安装 1

当前安装数 1

历史版本数 6

常见问题