← 返回 Skills 市场
276
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install yanjibus
功能描述
查询延吉公交线路的实时车辆位置,可指定线路号、子线路及模糊匹配起始和终点站名。
安全使用建议
This skill appears to implement the advertised bus-query functionality, but you should be cautious before running it: (1) the metadata omits required binaries — ensure curl and python3 are available; (2) the script embeds the remote JSON (and user-supplied station names) directly into an inlined Python program without escaping, which could allow arbitrary Python code execution if the remote site or inputs are malicious or if an attacker can tamper with the HTTP responses; (3) only use this skill if you trust the bus.yanjibus.com host or run it in an isolated/sandboxed environment. If you plan to install or run it, consider patching the script to avoid embedding untrusted data into source (e.g., pass BUS_DATA via stdin or a temporary file and use json.load, and safely escape or validate user inputs), and update the skill metadata to list required binaries.
功能分析
Type: OpenClaw Skill
Name: yanjibus
Version: 1.0.0
The skill contains significant command injection vulnerabilities in `yanji-bus.sh`. User-provided arguments, such as station names and line numbers, are directly interpolated into a Python script block and shell commands without sanitization, which could allow for Remote Code Execution (RCE) if a user provides crafted input. While the tool's stated purpose of querying bus data from `bus.yanjibus.com` appears legitimate and there is no evidence of intentional malice, the implementation is highly insecure.
能力评估
Purpose & Capability
Name/description match the implementation: the script queries http://bus.yanjibus.com and prints route + realtime vehicle data. However the registry metadata declares no required binaries while the script clearly depends on curl and python3 — an omission that is incoherent and may mislead users about runtime requirements.
Instruction Scope
SKILL.md instructs the agent to run the included bash script which fetches HTML/JSON from bus.yanjibus.com and parses it. The script embeds two sources of untrusted input (BUS_DATA from the remote HTTP response and user-supplied --from/--to values) directly into the Python -c source as triple-quoted string literals without escaping. That creates a realistic remote/user-controlled code-injection / arbitrary-Python-execution risk if the fetched data or parameters contain quote sequences or crafted payloads.
Install Mechanism
No install spec — instruction-only with an included script. Nothing is downloaded or written during install, which is proportionate to the stated purpose.
Credentials
The skill requests no environment variables, credentials, or config paths, which aligns with its stated purpose of querying a public bus site.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not modify other skills or system configs. Autonomous invocation is allowed by default but is not combined with other privilege escalation signals.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install yanjibus - 安装完成后,直接呼叫该 Skill 的名称或使用
/yanjibus触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of the 延吉公交实时查询 skill.
- Supports real-time bus location lookup for Yanji bus routes.
- Allows queries by route number, optional sub-route, and optional departure/destination with station name fuzzy matching.
- Default sub-route is 1 if not specified (3路 has 3 sub-routes).
- Includes quick reference for popular routes and integration suggestion with the Gaode Map skill.
元数据
常见问题
Yanji Bus Query 是什么?
查询延吉公交线路的实时车辆位置,可指定线路号、子线路及模糊匹配起始和终点站名。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 276 次。
如何安装 Yanji Bus Query?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install yanjibus」即可一键安装,无需额外配置。
Yanji Bus Query 是免费的吗?
是的,Yanji Bus Query 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Yanji Bus Query 支持哪些平台?
Yanji Bus Query 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Yanji Bus Query?
由 Ham-Kris(@ham-kris)开发并维护,当前版本 v1.0.0。
推荐 Skills