← 返回 Skills 市场
wacai-index-official-website-demand-dev
作者
shidengyun
· GitHub ↗
· v1.0.0
· MIT-0
313
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install wacai-index-official-website-demand-dev
功能描述
修改官网项目代码并同步需求文档。用于用户提供一大段产品需求、项目路径和可选分支后,将其写入指定项目目录下的 productdemand.md、先做小时级备份、切换并更新目标分支、按需求修改项目代码、执行基础校验、最后 git commit、git push 到远端分支,并在 push 成功后通过企业微信 webh...
安全使用建议
This skill will operate on whatever project path you give it: it copies the provided markdown into the repo (backing up hourly), runs git add/commit/push, and then posts a text payload summarizing the push to a WeCom webhook. Before installing or running it: 1) Do not rely on the default webhook — it is hard-coded in the script and will receive project path, commit hash and file-change summaries; replace it with your own WECOM_WEBHOOK_URL or remove the default. 2) Understand that the skill uses your machine's git credentials to push; do not run it against repositories that contain secrets unless you trust the destination and environment. 3) The scripts do not implement automatic code edits or validation — the agent (or you) must perform changes before calling the git flow. 4) Test with --dry-run or in a throwaway repository first to verify behavior and to confirm where notifications are sent. 5) If you cannot verify who controls the hard-coded webhook key, treat the skill as untrusted and remove/override the webhook before use.
功能分析
Type: OpenClaw Skill
Name: wacai-index-official-website-demand-dev
Version: 1.0.0
The skill bundle contains a Python script (scripts/push_wecom_push_notice.py) with a hardcoded WeCom webhook URL and a specific API key (0e41994e-9e62-4713-ad69-fddeaaba8e9a). This script is designed to automatically exfiltrate project metadata—including absolute file paths, branch names, commit hashes, and summaries of code changes—to an external endpoint. While the stated purpose is to provide notifications, hardcoding a specific destination key rather than using environment variables or user configuration is a significant security risk that functions as a 'phone-home' mechanism for sensitive development activity.
能力评估
Purpose & Capability
The skill's name/description (write demand file, backup, switch branch, commit/push, send notification) aligns with the provided scripts: update_productdemand.sh creates an hourly backup and writes the demand file; run_git_flow.sh performs git fetch/checkout/pull/add/commit/push and calls the notification script. However, the README claims the skill will "按需求修改项目代码" and "执行基础校验" (apply changes and run basic checks); the included scripts do not perform automated code edits or validation — those steps would rely on the agent/user to change files before calling run_git_flow.sh. This is an implementation gap (not necessarily malicious) but important to understand.
Instruction Scope
The runtime instructions and scripts operate on an arbitrary project path and run git commands (fetch/checkout/pull/add/commit/push) and read git history/diffs. That is expected for the stated purpose. The main concern is that the notification script will POST a payload containing timestamp, project path, branch, commit info and a summary of changed files to a hard-coded WeCom webhook URL by default. Sending these repository paths and commit diffs to an external webhook is non-trivial data exfiltration risk if the webhook is not owned by the user.
Install Mechanism
No install spec; the skill is instruction-only plus small scripts. Nothing is downloaded or written to system locations at install time beyond the skill bundle itself, which reduces supply-chain concerns.
Credentials
The skill declares no required env vars, but the Python notifier uses an internal DEFAULT_WEBHOOK_URL (a full WeCom webhook key) and will use WECOM_WEBHOOK_URL if set. Defaulting to a baked-in webhook that receives project path and commit details is disproportionate for a general-purpose skill — users would normally expect to supply their own webhook key. The scripts also rely on existing git credentials on the host for push/pull; those credentials are not requested explicitly by the skill but will be used during execution.
Persistence & Privilege
The skill does not request always:true and does not modify agent/system configs. Autonomous invocation is allowed by default (not a problem alone), but combined with the hard-coded webhook it increases risk because an autonomously-invoked skill could push and then notify an external endpoint without the user's explicit per-run consent.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install wacai-index-official-website-demand-dev - 安装完成后,直接呼叫该 Skill 的名称或使用
/wacai-index-official-website-demand-dev触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release enabling official website demand management for any specified project directory.
- Automates documentation of product requirements, snapshot backups, branch switching, code modification, validation, and git operations.
- Ensures push success triggers a WeCom webhook notification containing time, project path, branch, commit info, and code changes.
- Includes error handling for missing paths, git conflicts, validation failure, push failure, and notification delivery issues.
- Provides recommended scripts for requirement document updates, git workflow automation, and enterprise notification integration.
元数据
常见问题
wacai-index-official-website-demand-dev 是什么?
修改官网项目代码并同步需求文档。用于用户提供一大段产品需求、项目路径和可选分支后,将其写入指定项目目录下的 productdemand.md、先做小时级备份、切换并更新目标分支、按需求修改项目代码、执行基础校验、最后 git commit、git push 到远端分支,并在 push 成功后通过企业微信 webh... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 313 次。
如何安装 wacai-index-official-website-demand-dev?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install wacai-index-official-website-demand-dev」即可一键安装,无需额外配置。
wacai-index-official-website-demand-dev 是免费的吗?
是的,wacai-index-official-website-demand-dev 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
wacai-index-official-website-demand-dev 支持哪些平台?
wacai-index-official-website-demand-dev 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 wacai-index-official-website-demand-dev?
由 shidengyun(@shidengyun)开发并维护,当前版本 v1.0.0。
推荐 Skills