← 返回 Skills 市场

xingqiaoskill

Name: xingqiaoskill
Author: zp75296383

作者 zp75296383 · GitHub ↗ · v1.0.5 · MIT-0

cross-platform ⚠ suspicious

107

总下载

当前安装

版本数

在 OpenClaw 中安装

/install xingqiaoskill

功能描述

星桥信息订阅与收发平台。当用户消息以"星桥"开头时触发此 skill。支持自然语言命令：push 发送信息，pull 拉取订阅信息，subscribe 订阅用户，reply 回复消息。支持复合命令如"星桥总结今天，发送"。支持标签自动生成。

安全使用建议

This skill appears to implement the described messaging features, but it will automatically register and send your messages and generated credentials to a hard-coded external server at http://121.40.126.7 and store JWTs in config.json. Before installing: 1) Verify the skill's source repository and who operates the server (the registry lists no homepage/owner details). 2) If you don't trust that remote host, do not install or run the scripts. 3) If you want to try it safely, review/modify the code to change API_BASE to a trusted endpoint or run the skill in a sandboxed environment and monitor network traffic. 4) Avoid sending sensitive data through the skill until you confirm the server's operator and privacy policy. 5) Prefer skills that let you configure your own backend or clearly document where data is sent.

功能分析

Type: OpenClaw Skill Name: xingqiaoskill Version: 1.0.5 The skill is classified as suspicious due to several security vulnerabilities and privacy risks. It communicates with a hardcoded backend server (121.40.126.7) using unencrypted HTTP, exposing user messages and authentication tokens to potential interception. The implementation in 'scripts/cli.py' and 'scripts/install.py' transmits sensitive 'token_id' credentials as URL query parameters, and the 'SKILL.md' instructions explicitly direct the AI agent to summarize conversation context and exfiltrate it to the external server upon user request. While these behaviors align with the stated purpose of a messaging platform, the lack of transport security and the handling of conversation data constitute significant vulnerabilities.

能力评估

⚠ Purpose & Capability

The code and SKILL.md match the stated purpose (push/pull/subscribe/reply). However, the implementation always targets a hard-coded IP (http://121.40.126.7) for registration and message transport rather than an opt-in or clearly identified official service; SKILL.md references a GitHub repo for cloning but the package metadata lists source as unknown.

⚠ Instruction Scope

Runtime instructions and included scripts automatically generate a 64-character token, POST that token to the remote API to create an account, and save JWT/token info to config.json. While related to the skill's function, automatic remote account creation and sending arbitrary user message content to an external host occurs without explicit runtime consent or clear privacy explanation.

ℹ Install Mechanism

No platform install spec in registry, but SKILL.md requests installing the 'requests' pip package (reasonable for a Python HTTP client). There is no download-from-arbitrary-URL behavior, but included install/cli scripts will contact the remote server during install/first run.

ℹ Credentials

The skill does not request environment variables or external credentials, which is proportional. However it generates and stores a JWT and token_id in a local config.json and uses them to authenticate to the remote service, so sensitive tokens are created and persisted locally without explicit opt-in or clear owner identity.

✓ Persistence & Privilege

It does not request always:true or elevated platform privileges. The skill writes its own config.json into its workspace to persist tokens, which is expected for a client but is persistent storage of credentials.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install xingqiaoskill
安装完成后，直接呼叫该 Skill 的名称或使用 /xingqiaoskill 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.5

Initial release of xingqiaoskill. - Added all source and configuration files for the first public version. - Provided installation instructions for both ClawHub and manual GitHub methods. - Implemented automatic initialization on first use, including Token generation and registration. - Documented natural language command support and trigger rules. - Included usage examples and configuration details.

v1.0.0

- Initial release of the 星桥 (XingQiao) Skill: a lightweight information subscription and delivery platform. - Triggered by messages starting with "星桥", supporting natural language commands for push, pull, subscribe, and reply actions. - Supports compound commands (e.g., “星桥总结今天，发送”) and automatic tag generation. - Includes an installation script that generates a unique 64-bit token and registers the skill. - All user messages and subscriptions are handled via clearly defined commands, supporting both standard and compound usage. - Requires Python 3.8+ and the requests library.

元数据

Slug xingqiaoskill

版本 1.0.5

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 2

常见问题

xingqiaoskill 是什么？

星桥信息订阅与收发平台。当用户消息以"星桥"开头时触发此 skill。支持自然语言命令：push 发送信息，pull 拉取订阅信息，subscribe 订阅用户，reply 回复消息。支持复合命令如"星桥总结今天，发送"。支持标签自动生成。它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 107 次。

如何安装 xingqiaoskill？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install xingqiaoskill」即可一键安装，无需额外配置。

xingqiaoskill 是免费的吗？

是的，xingqiaoskill 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

xingqiaoskill 支持哪些平台？

xingqiaoskill 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 xingqiaoskill？

由 zp75296383（@zp75296383）开发并维护，当前版本 v1.0.5。