← 返回 Skills 市场
Rrbdagent
作者
zengjwmail
· GitHub ↗
· v1.0.1
· MIT-0
235
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install rrbdagent
功能描述
OpenClaw skill for RRBD Admin项目。当用户需要通过自然语言对话执行API调用、自动化操作或系统任务时调用。
安全使用建议
This skill appears to implement the RRBD Admin video/avatar automation it advertises, but take these precautions before installing or running it:
- Do not run it with your real account/password. The skill prompts for credentials and will save them in config.json in plaintext. Use a throwaway/test account if you want to try it.
- Remove or inspect any hard-coded credentials in scripts (several files call login('18098901246','123456')).
- Review package.json and run npm install in a controlled sandbox (container or VM). The package contains executable JS — review code paths that perform network calls before executing.
- Prefer authorization via short-lived tokens or environment-injected secrets rather than storing passwords in files. If you must store anything, use encrypted storage and clear consent to the user.
- Note the documentation/implementation mismatch (Python vs Node); confirm which runtime you will actually execute and adjust your environment accordingly.
If you want, I can: (a) point out exact lines/files where credentials are hard-coded, (b) extract the list of network endpoints used, or (c) suggest a minimal safe test procedure (sandbox commands) to evaluate the skill offline.
功能分析
Type: OpenClaw Skill
Name: rrbdagent
Version: 1.0.1
The skill bundle is an automation agent for the RRBD Admin video generation platform. It is classified as suspicious due to poor security practices that create significant vulnerabilities, specifically prompting for and storing user credentials (mobile and password) in plain text within 'config.json' (api_client.js). Furthermore, numerous scripts (e.g., 'check_now.js', 'create_video_laozeng_shuai.js', and 'index.js') contain hardcoded credentials for a specific test account (18098901246). While these behaviors are aligned with the stated purpose of API automation and testing, the handling of sensitive authentication data is insecure and poses a high risk of credential theft.
能力评估
Purpose & Capability
The skill name/description (RRBD Admin, digital-person and video management) aligns with the included code and API endpoints (base_url https://rrbd20.yzidea.net/api and related /digital/* endpoints). The bundled JS scripts implement login, list, create-video, status-check flows consistent with the stated functionality.
Instruction Scope
SKILL.md and the code explicitly prompt for user phone/password and automatically save them to a local config file; runtime instructions and code read/write config.json and memory.json. Several helper scripts contain hard-coded credentials used for automatic login. The skill will perform network calls to the provided backend and persist user-provided secrets locally — behavior that goes beyond a read-only assistant and involves storing and transmitting sensitive data.
Install Mechanism
There is no install spec (instruction-only in metadata) but the package contains many executable JS files, package.json, and package-lock.json — so to run it a user will likely run npm install and execute scripts. No remote downloads or obscure URLs were observed in the provided files. The mismatch between SKILL.md describing Python scripts and the actual repo being mostly Node.js is an inconsistency.
Credentials
The skill requests no declared environment variables, but it does require user account credentials (phone/password) and saves them in config.json in plaintext. That persistent storage of secrets is disproportionate without stronger protections (encryption, use of ephemeral tokens, or using environment-secret injection). Multiple files also include hard-coded test credentials, which is risky and unnecessary for normal operation.
Persistence & Privilege
always:false and no special OS privileges requested. The skill writes only to its own files (config.json, memory.json) and does not attempt to change other skills or system-wide settings. Persisting its own memory/config is expected behavior for this kind of utility.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install rrbdagent - 安装完成后,直接呼叫该 Skill 的名称或使用
/rrbdagent触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
- Added multiple new video creation scripts for different templates and variants.
- Introduced several scripts for listing videos, including Python and JavaScript implementations.
- Updated SKILL.md with instructions for saving user credentials at first use, and removed default credentials from config.
- Enhanced config.json with adjustments to login settings.
- Expanded and improved scripts to support additional video creation and listing operations.
v1.0.0
Initial release of rrbdagent, an OpenClaw skill for the RRBD Admin project:
- Enables natural language interaction with the RRBD Admin backend API, focusing on digital avatar (数字人形象) management.
- Supports multi-turn conversation, context retention, intelligent intent recognition, and authentication flows.
- Provides automation scripts and testing tools for login, digital avatar listing, and video creation, using Python scripts and configuration files.
- Allows real API execution (not mock data), managing real user tasks such as login, avatar management, video creation, AI services, and financial actions.
- Includes security practices for API key management, input validation, and tenant isolation.
- Offers configurable endpoints, default credentials, and detailed usage instructions for both natural language and script-based operation.
元数据
常见问题
Rrbdagent 是什么?
OpenClaw skill for RRBD Admin项目。当用户需要通过自然语言对话执行API调用、自动化操作或系统任务时调用。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 235 次。
如何安装 Rrbdagent?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install rrbdagent」即可一键安装,无需额外配置。
Rrbdagent 是免费的吗?
是的,Rrbdagent 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Rrbdagent 支持哪些平台?
Rrbdagent 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Rrbdagent?
由 zengjwmail(@zengjwmail)开发并维护,当前版本 v1.0.1。
推荐 Skills