← 返回 Skills 市场
78
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install venue-polling
功能描述
Use this skill when the user wants to poll gym venue availability, inspect or modify the `venue_polling.py` order-signing flow, or run the bundled signature...
安全使用建议
This skill appears to do what it says (poll venue availability and help debug signing), but it reads a local rsa_private_key.pem and contains a hardcoded API token — neither of which are declared in the metadata. Before running it: (1) review the code yourself or have someone you trust review it; (2) do not place your real private key or production tokens in the working directory unless you trust the code and the remote endpoint; (3) remove or replace the hardcoded TOKEN and prefer an environment variable if you must supply credentials; (4) run signature-replay and verification helpers offline first (they won't contact the network) before enabling AUTO_BOOK; (5) run the scripts in an isolated environment (container/VM) and monitor outbound network traffic; and (6) be aware running venue_polling.py with AUTO_BOOK=True will attempt to create real orders on the external service, which could have financial or account consequences.
功能分析
Type: OpenClaw Skill
Name: venue-polling
Version: 1.0.0
The skill bundle is a specialized toolset for automating and debugging gym venue bookings on the 'shop.chuanshatiyuchang.cn' platform. It contains scripts for polling availability (`venue_polling.py`), verifying RSA signatures (`public_key_verify_test.py`), and replaying requests (`signature_replay_test.py`). While the code performs automated network requests and requires a local RSA private key, its behavior is transparent, well-documented, and strictly aligned with the stated purpose of gym booking automation without any indicators of data exfiltration, system persistence, or malicious intent.
能力标签
能力评估
Purpose & Capability
The name/description match the included scripts: venue_polling.py (polling + auto-booking), signature_replay_test.py and public_key_verify_test.py (offline signature debugging). The skill talks to a real external endpoint (shop.chuanshatiyuchang.cn) and includes captured requests and analysis notes — all consistent with a reverse-engineering / booking helper. However, the code embeds a hardcoded token constant (TOKEN = "0cd5cb6b21fc410dbd81bc3e6a066614") and expects a local rsa_private_key.pem file (not declared as a required credential). The presence of an embedded token and an expectation to place a private key in the working directory are not declared in the skill metadata and are disproportionate to an instruction-only skill that lists no required credentials.
Instruction Scope
SKILL.md stays on-topic: it directs the agent to read and modify the provided scripts and to use the captured references for context. It explicitly notes the scripts expect rsa_private_key.pem. It does not instruct reading unrelated system files. One caveat: the instructions encourage modifying and running bundled scripts, which — coupled with the included code — will cause outbound network requests and possibly create live orders. The agent should not run the auto-booking behavior without explicit user consent.
Install Mechanism
There is no install spec (instruction-only), so nothing is written to disk by an installer. However, the shipped Python scripts require third-party libraries (requests, cryptography) that are not declared in metadata. Running the scripts will execute code on the host and perform network I/O; users should ensure dependencies are installed from trusted sources and run in an isolated environment if needed.
Credentials
The skill metadata declares no required environment variables or credentials, but the code contains an embedded 'token-user' value and reads rsa_private_key.pem from the working directory. These are sensitive: the token is effectively a credential for the external API and the private key can sign requests. The skill thus expects or uses credentials without declaring them, which is a disproportionate and unexpected privilege request and increases risk of unintended transactions or secret exposure.
Persistence & Privilege
The skill is not marked 'always' and is user-invocable. It allows autonomous model invocation (the platform default), which by itself is normal. Combined with the credential/secret handling and the ability to send signed createOrder requests, autonomous runs could perform actions (e.g., place orders) if the private key or token are accessible — so run with caution and avoid granting it access to live secrets without review.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install venue-polling - 安装完成后,直接呼叫该 Skill 的名称或使用
/venue-polling触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of venue-polling skill.
- Provides tools for polling gym venue availability and managing order-signing for mini-program booking APIs.
- Includes scripts for venue polling, signature debugging, signature replay, and public key verification.
- Offers references and guidance for modifying polling and signing workflows.
- Supports investigation and modification of RSA-based request signatures used in booking flows.
元数据
常见问题
venue-polling 是什么?
Use this skill when the user wants to poll gym venue availability, inspect or modify the `venue_polling.py` order-signing flow, or run the bundled signature... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 78 次。
如何安装 venue-polling?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install venue-polling」即可一键安装,无需额外配置。
venue-polling 是免费的吗?
是的,venue-polling 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
venue-polling 支持哪些平台?
venue-polling 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 venue-polling?
由 ruok Lee(@ruokkkkk)开发并维护,当前版本 v1.0.0。
推荐 Skills