← 返回 Skills 市场
米游社工具
作者
carcloud-ml
· GitHub ↗
· v0.1.1
· MIT-0
214
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install mystool
功能描述
米游社工具插件。当用户消息包含以下任意关键词时触发:米游社登录、米游社绑定、米游社账号、米游社解绑、米游社任务、米游币任务、米游社签到、原神便笺、星铁便笺、开拓力、树脂、米游币商品、米游社兑换、米游社帮助、扫码补全stoken。支持短信登录、扫码登录、Cookie 登录三种方式。
安全使用建议
This skill appears to do what it claims (MiYoShe login, tasks, sign-ins, and exchange) and includes working code that will run locally and contact official MiYoShe/Mihoyo endpoints. Key things to consider before installing or using it:
- Sensitive data: You will be asked to paste cookies, stoken info or phone numbers. Those are saved unencrypted under skills/mystool/data/accounts.json and related files — treat these as high-risk secrets.
- Trust the author: The skill has no homepage and an unknown source; review the code (especially src/api.py, runner.py, sms_login.py, and store.py) yourself before providing real credentials.
- External proxy URL: If you configure a proxy (proxy_config.api_url), the skill will fetch data from that URL to get proxy IPs — that URL could be malicious or point to internal endpoints. Only set it to trusted services.
- Automated actions: runner.py will run daily cron tasks and can iterate all stored accounts. If installed on a shared agent, it will act for every stored user account — consider isolation.
- Deployment suggestions: run in an isolated/trusted environment, audit the full source (untruncated files), and test with a throwaway account first. If you must use real accounts, consider encrypting the data directory or avoiding storing long-lived cookies in this skill.
If you want, I can highlight exact lines/places to inspect (e.g., where cookies are written, where external network calls occur) or scan the remaining truncated files for suspicious behavior.
功能分析
Type: OpenClaw Skill
Name: mystool
Version: 0.1.1
The skill bundle is a comprehensive Miyoushe automation tool that handles sensitive user credentials, including cookies and login tokens. It contains a functional SSRF (Server-Side Request Forgery) vulnerability in 'src/sms_login.py' via the '_get_proxy' function, which performs unvalidated HTTP GET requests to a user-provided URL. Additionally, the tool implements a cross-platform account sharing mechanism in 'src/store.py' ('merge_user_accounts') that allows transferring sensitive session data between users via 6-digit codes. While these features are documented as intended for power users, the combination of credential handling, local storage of cookies in 'data/accounts.json', and the SSRF risk warrants a suspicious classification.
能力评估
Purpose & Capability
Name/description (米游社工具) match the code: modules implement SMS/QR/Cookie login, daily tasks, sign-in, goods exchange, proxy support, and local account storage. No unrelated cloud credentials or unrelated binaries are requested.
Instruction Scope
SKILL.md instructs the agent to run plugin.py/runner.py (and lists pip deps). That runtime will execute the included Python code which performs network calls to mihoyo/miyoushe endpoints, reads/writes local data files under data/ and log/, and may call a user-configured proxy; this is within the plugin's stated purpose but means the agent executes code (not just text-processing).
Install Mechanism
No automated install spec (instruction-only), which is lower risk. SKILL.md lists pip dependencies (httpx, pycryptodome, qrcode) that the operator must install; that is reasonable and expected for this functionality.
Credentials
The skill does not request environment variables but it handles highly sensitive secrets: cookies, stoken, phone numbers and stores them unencrypted in data/accounts.json and related files. It also can fetch an external proxy IP from a user-supplied API_URL (data/proxy_config.json). Storing and reading these secrets is proportional to the feature but is a significant security/privacy concern — you must trust the skill before providing real credentials.
Persistence & Privilege
always:false and the skill does not claim to modify other skills. It persists state (data/ and log/) and includes runner.py for scheduled cron tasks that will act on all stored accounts — this is expected for automation but increases blast radius if the code is malicious or run on an untrusted host.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install mystool - 安装完成后,直接呼叫该 Skill 的名称或使用
/mystool触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.1
修正 bug
v0.1.0
mystool 0.1.0 — 首个版本
- 新增米游社工具插件,支持账号登录、绑定、任务、签到、商城兑换等多项功能。
- 支持短信、扫码、Cookie 三种登录方式及扫码补全 stoken。
- 自动每日执行米游币和签到任务,通过 cron 推送结果。
- 提供详细指令列表,适配 Telegram、QQBot、多渠道。
- 独立日志记录和代理设置支持。
元数据
常见问题
米游社工具 是什么?
米游社工具插件。当用户消息包含以下任意关键词时触发:米游社登录、米游社绑定、米游社账号、米游社解绑、米游社任务、米游币任务、米游社签到、原神便笺、星铁便笺、开拓力、树脂、米游币商品、米游社兑换、米游社帮助、扫码补全stoken。支持短信登录、扫码登录、Cookie 登录三种方式。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 214 次。
如何安装 米游社工具?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install mystool」即可一键安装,无需额外配置。
米游社工具 是免费的吗?
是的,米游社工具 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
米游社工具 支持哪些平台?
米游社工具 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 米游社工具?
由 carcloud-ml(@carcloud-ml)开发并维护,当前版本 v0.1.1。
推荐 Skills