功能描述

Use this skill whenever the user asks to analyze, verify, debug, reverse-engineer, or automate Kuaishou Genius「预算/预测/实际」页面 data flow (especially management-y...

使用说明 (SKILL.md)

Kuaishou Genius Actual API Skill

Name: Kuaishou Genius Actual
Author: zhangpei03

Overview

This skill helps an agent quickly move from Genius 页面操作 to 可复用的接口调用地图与脚本化验证 for the management-yearly/actual workflow.

Use it when the goal is to identify core backend endpoints, validate request dependencies, and build repeatable checks for Genius Actual data retrieval.

Quick Start

Ensure login/session is valid for genius.corp.kuaishou.com.
Capture network around page reload and key filter actions.
Focus on /budget-portal/api/* requests; ignore static assets and telemetry unless debugging auth/risk.
Run script-based endpoint probe/client:

cd scripts
bash genius_api_probe.sh \
  --base-url "https://genius.corp.kuaishou.com" \
  --cookie "accessproxy_session=\x3CYOUR_COOKIE>" \
  --year 2026

python3 genius_client.py \
  --cookie "accessproxy_session=\x3CYOUR_COOKIE>" \
  workflow --year 2026

Output a concise report with:
- reachable endpoints
- required params/payload hints
- dependency order
- known blockers/limitations

Supported Capabilities

Core API extraction
- Identify actual business endpoints used by management-yearly/actual.
API map generation
- Build endpoint catalog: method, path, purpose, required params/body.
Workflow reconstruction
- Reconstruct request order from page load to ledger detail fetch.
Scripted probing
- Use scripts/genius_api_probe.sh to quickly verify endpoint reachability and baseline responses.
Troubleshooting focus
- Distinguish business API failures from:
  - SSO/session expiration
  - fingerprint/risk controls
  - telemetry noise

API Map (Core Business)

Base domain:

https://genius.corp.kuaishou.com

Core endpoints observed in Actual flow:

GET /budget-portal/api/authority/user
- Purpose: fetch user auth context.
GET /budget-portal/api/authority/org/tree
- Purpose: org tree for selectors/permissions scope.
GET /budget-portal/api/horse-race-lamp/query?tabCode=management-yearly%2Factual
- Purpose: tab-level notification/meta.
GET /budget-portal/api/description/act-latest-update-date
- Purpose: latest actual update metadata.
GET /budget-portal/api/annual-actual/versions?year=\x3CYEAR>
- Purpose: available versions for selected year.
POST /budget-portal/api/actual-ledger/detail
- Purpose: ledger detail dataset.
- Notes: requires JSON body shaped by current filters.
POST /budget-portal/api/actual-ledger/products
- Purpose: product/metric dimension data for current view.
- Notes: requires JSON body shaped by current filters.

Non-core but commonly seen (usually ignore unless diagnosing):

log-sdk.ksapisrv.com/* telemetry
mobile-device-info.corp.kuaishou.com/* device/risk
h5-fingerprint.corp.kuaishou.com/* fingerprint

Workflow

1) Session check

Confirm not redirected to SSO login.
Verify accessproxy_session works for genius.corp.kuaishou.com.

2) Capture

Reload target page:
- https://genius.corp.kuaishou.com/management-yearly/actual
Capture all XHR/fetch.

3) Filter to business APIs

Keep only /budget-portal/api/ requests.
Group by: authority → metadata → versions → ledger POSTs.

4) Rebuild minimal call chain

Start with GET chain (auth/org/version).
Then reproduce POST ledger calls with realistic payload.

5) Validate by script

Run genius_api_probe.sh with cookie + year.
Record HTTP code + brief body snippet.

6) Report

Always output:

API list (method/path/purpose)
call order
required parameters/body fields (known/unknown)
current blockers and next action

Script Usage

Script paths:

scripts/genius_api_probe.sh
scripts/genius_client.py

What they do:

genius_api_probe.sh: probes key GET APIs and sends placeholder POSTs for quick triage
genius_client.py: structured client for core APIs (single endpoint or full workflow), supports custom JSON payload files

Required inputs:

--base-url (default https://genius.corp.kuaishou.com)
--cookie (must include valid accessproxy_session=...)

Optional:

--year (default 2026)

Known Limitations

SSO/session coupling
- Without valid session cookie, requests fall back to SSO and API probing is invalid.
Risk/fingerprint controls
- Some environments may require device/fingerprint side requests; replay outside browser may fail.
POST body incompleteness
- actual-ledger/detail and actual-ledger/products need accurate business payload fields from live capture.
Environment drift
- static bundle versions and backend schema may change; always re-capture when results diverge.
Permission scope
- org tree and ledger visibility depend on account permissions; data differences are expected across users.

安全使用建议

This skill appears to do what it says (probe internal Genius API endpoints) but has some important practical and security omissions to be aware of: - The skill requires a valid session cookie (accessproxy_session) but the package metadata does not declare this; expect to provide a sensitive cookie string on the command line. Only do this in a trusted environment and avoid reusing long-lived or highly-privileged browser session cookies. - The repository metadata also omits required binaries; the scripts assume bash, curl, and python3 are available. Verify those tools and run the code locally rather than giving your cookie to a remote system. - The python client supports --insecure which disables TLS verification. Do not use --insecure unless you understand the network risk (it can enable man-in-the-middle attacks). - The scripts print API responses (which may contain sensitive org or ledger data) to stdout. Treat output as potentially sensitive and avoid sharing it. Before installing or running: 1. Inspect the scripts yourself (you have them) and run them in an isolated environment. 2. Prefer a low-privilege/test account or ephemeral session cookie if possible. 3. Do not paste session cookies into third-party UIs; run locally. 4. If you need metadata in the skill registry, ask the publisher to declare the cookie requirement and required binaries explicitly. Given the above mismatches (sensitive cookie handling and undeclared binaries), proceed cautiously; the behavior is consistent with its stated purpose but the missing declarations and the need for sensitive credentials are why this is flagged as suspicious.

功能分析

Type: OpenClaw Skill Name: kuaishou-genius-actual Version: 1.0.0 The skill bundle is a utility designed for automating and debugging data flows on the Kuaishou Genius internal portal (genius.corp.kuaishou.com). It contains a bash script (genius_api_probe.sh) and a Python client (genius_client.py) that perform standard GET and POST requests to internal endpoints using a user-provided session cookie. The code is transparent, lacks obfuscation, and shows no signs of data exfiltration to external domains or malicious intent; it functions strictly as an API interaction tool for the stated target domain.

能力评估

ℹ Purpose & Capability

The skill name, description, SKILL.md, and included scripts all focus on mapping and probing the Kuaishou Genius 'management-yearly/actual' API flow; the requested actions (GET/POST probing, reconstructing payloads) are coherent with that purpose. There is no evidence the skill is trying to perform unrelated cloud or system administration tasks.

ℹ Instruction Scope

Runtime instructions explicitly tell the agent/operator to capture browser network traffic and to run the provided scripts with a valid session cookie. The instructions do not request reading unrelated files or exfiltrating data to third-party endpoints; they will, however, cause the agent/operator to expose potentially sensitive response bodies and session cookies to their local terminal. The SKILL.md expects the user/agent to supply a valid accessproxy_session cookie which is sensitive.

✓ Install Mechanism

No install spec is provided (instruction-only with bundled scripts), so nothing is downloaded or installed automatically. The included shell and Python scripts are plain text and run locally — lower installation risk compared with remote installers.

⚠ Credentials

The package metadata declares no required environment variables or binaries, but the SKILL.md and scripts require: (1) a valid session cookie (accessproxy_session) to authenticate to genius.corp.kuaishou.com, and (2) local tools: bash, curl, python3. Requiring a session cookie is proportionate to the stated purpose, but the manifest omission (no declared primary credential or required env) is an incoherence and a security UX risk: users/agents may be prompted to paste sensitive cookies without the registry documenting that requirement. The python client also supports an --insecure flag (disables TLS verification), which is potentially dangerous if misused.

✓ Persistence & Privilege

The skill is not always-enabled, does not request autonomous privilege escalation, and does not modify other skills or system-wide agent settings. It runs on demand and does not claim persistent presence.

版本历史

v1.0.0

Initial release: Genius API client and export workflow

元数据

Slug kuaishou-genius-actual

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题

Kuaishou Genius Actual 是什么？

Use this skill whenever the user asks to analyze, verify, debug, reverse-engineer, or automate Kuaishou Genius「预算/预测/实际」页面 data flow (especially management-y... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 199 次。

如何安装 Kuaishou Genius Actual？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install kuaishou-genius-actual」即可一键安装，无需额外配置。

Kuaishou Genius Actual 是免费的吗？

是的，Kuaishou Genius Actual 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Kuaishou Genius Actual 支持哪些平台？

Kuaishou Genius Actual 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Kuaishou Genius Actual？

由 zhangpei03（@zhangpei03）开发并维护，当前版本 v1.0.0。

Kuaishou Genius Actual