← 返回 Skills 市场
alsxie

quiz-maker 出题工具

作者 alsxie · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
84
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install quiz-maker
功能描述
出题工具。根据文档内容(docx、pdf、txt 等)生成选择题测试卷,并返回二维码供答题者扫码作答。触发词:出题、生成题目、创建测验、云端出题。
安全使用建议
Key points before installing or running anything from this package: - This skill will (per SKILL.md) send extracted document text to an external server at 118.196.5.240:34100. If your documents contain sensitive data do NOT upload them without confirming the operator, privacy policy, and retention practices. - The package includes a deploy script that installs system services and runs the server as root. Do NOT run deploy/deploy.sh as root unless you trust the code and the service owner — review server.js, upload-handler.js and quiz-create.js line-by-line first. - The SKILL.md expects a local node script at ~/.openclaw/quiz-maker/quiz-create.js but the package provides no install instructions; that mismatch is suspicious. Ask the publisher how the client is meant to be installed and why server code is bundled. - parser.js uses child_process.execSync with shell pipelines as a fallback for PPTX parsing. If you run the bundled server, inspect how uploaded filenames and paths are validated to avoid command injection. - Prefer to: (1) get a named, verifiable domain and operator contact for the cloud endpoint; (2) run the client code in an isolated environment (container/VM) and inspect network traffic before sending sensitive documents; (3) if you need an on‑premise solution, review and test the server code thoroughly and change the systemd unit to run as a non-root user and follow least privilege practices. If you want, I can: (a) highlight lines in server.js / quiz-create.js / upload-handler.js where uploads are transmitted or where execSync is used; or (b) suggest a safe minimal workflow to test the client without exposing real documents.
功能分析
Type: OpenClaw Skill Name: quiz-maker Version: 1.0.0 The skill bundle contains several high-risk configurations and behaviors that, while supporting its stated purpose, pose significant security risks. Most notably, the agent instructions in 'SKILL.md' and the client script 'quiz-create.js' are hardcoded to exfiltrate document content to a specific remote IP address (118.196.5.240) rather than a user-configured endpoint. Additionally, 'start.sh' automatically establishes a Cloudflare Tunnel to expose the local server to the public internet, and 'quiz-create.js' explicitly disables SSL certificate verification ('rejectUnauthorized: false'). The bundle also includes a hardcoded API key in 'question_generator.js' and a potential shell injection vulnerability in 'parser.js' via unsanitized execution of the 'strings' command, although the latter is partially mitigated by generated filenames.
能力标签
requires-sensitive-credentials
能力评估
Purpose & Capability
Name/description: generate multiple‑choice quizzes from documents and deliver a QR code — and the SKILL.md explicitly says "use cloud service" at 118.196.5.240:34100. That capability legitimately requires sending document text to a service. However the package also contains full server code (server.js, upload-handler.js, db.js, deploy/deploy.sh, etc.) but there is no install spec and SKILL.md expects a local helper at ~/.openclaw/quiz-maker/quiz-create.js. Including a server + deployment script is disproportionate for a client-only instruction skill and creates ambiguity about whether you should run a remote service, a local client, or install the bundled server locally.
Instruction Scope
The SKILL.md instructs the agent/user to extract text locally (python docx/PyPDF2 examples) and then run a node script (node ~/.openclaw/quiz-maker/quiz-create.js "<内容>" "<标题>" "<说明>"). That node script is expected to call the cloud service (the skill documents the cloud IP). The instructions require reading arbitrary local documents and then transmitting their text to an externally hosted service (118.196.5.240:34100). The instructions don't provide an install step for the local script, don't document what is transmitted, and don't warn about privacy of uploading full document contents. Parser code (parser.js) uses child_process.execSync to run shell commands (strings | grep | head) as a fallback for PPTX parsing — if file paths or inputs are not properly sanitized this is a potential command‑injection vector.
Install Mechanism
There is no declared install spec in the registry metadata nor in SKILL.md, yet the repo includes deploy/deploy.sh which installs Node.js, nginx, certbot, creates /opt/quiz-maker, writes a systemd unit, and configures the service to run as User=root. That deployment script, if executed, would make persistent system changes and run the service as root — a high privilege action that is unnecessary to simply call a remote API. The cloud host is a raw IP (118.196.5.240:34100) rather than a well-known release host or domain; using a numeric IP is higher risk and harder to validate.
Credentials
The skill does not request environment variables or credentials (requires.env is empty) which is appropriate for an API-forwarded quiz generator. However, the package uploads local document contents to a third-party server (hard-coded IP) — even without requiring a key — so the privacy/sensitivity of transmitted data is a concern. No secrets are requested, but the remote endpoint and included server/deploy scripts increase the attack surface.
Persistence & Privilege
The skill metadata does not force 'always' inclusion, but the codebase contains a deploy script that configures a persistent systemd service running as root (User=root). That would give the packaged application long-lived system presence and high privilege if an operator ran deploy/deploy.sh. The presence of such a script in an otherwise instruction-only skill is disproportionate and risky.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install quiz-maker
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /quiz-maker 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
首次发布
元数据
Slug quiz-maker
版本 1.0.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

quiz-maker 出题工具 是什么?

出题工具。根据文档内容(docx、pdf、txt 等)生成选择题测试卷,并返回二维码供答题者扫码作答。触发词:出题、生成题目、创建测验、云端出题。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 84 次。

如何安装 quiz-maker 出题工具?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install quiz-maker」即可一键安装,无需额外配置。

quiz-maker 出题工具 是免费的吗?

是的,quiz-maker 出题工具 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

quiz-maker 出题工具 支持哪些平台?

quiz-maker 出题工具 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 quiz-maker 出题工具?

由 alsxie(@alsxie)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论