← 返回 Skills 市场
360
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install yanxue
功能描述
📚 研学方案管理与智能生成技能。支持按城市、学段、景点、主题、时长生成完整的研学课程方案,并提供方案的保存、管理、Word 导出及文件导入导出功能。适用于中小学(1-9年级及高中)的研学旅行课程设计。
安全使用建议
This skill is largely coherent with its stated purpose (generate, save, list, export course plans). Before installing or using it:
- Audit the included scripts: manage_courses.py and export_word.py are small; verify they match your expectations. In particular, manage_courses.save will read any file you point it to and write files into /home/ubuntu/yanxue_courses — avoid passing sensitive system file paths as the content_path.
- Check /home/ubuntu/yanxue_courses permissions and decide whether you want a skill creating persistent files there. Consider changing STORAGE_DIR to a location you control or run the skill in an isolated environment.
- Inspect SKILL.md and filenames for hidden/zero-width unicode control characters (the pre-scan flagged these). Remove or normalize suspicious characters to avoid hidden instructions or obfuscation.
- Ensure the runtime environment has the Python packages the export script needs (markdown, htmldocx) and prefer installing them from your vetted package sources.
- If you plan to enable any automated distribution (the README mentions sending via Feishu), require explicit user consent and verify network endpoints and credentials before allowing transmissions.
- If you have low tolerance for on-disk persistence or for code that can read arbitrary file paths, run this skill in a sandbox/container or request a version that prompts before reading external file paths.
I am moderately confident in this assessment; additional details that would raise confidence include a provenance/source URL, a signed release, or confirmation that references/ and storage paths are present and limited to the skill's directory.
功能分析
Type: OpenClaw Skill
Name: yanxue
Version: 1.0.0
The skill's core functionality for managing and exporting course plans is benign. However, the Python scripts `scripts/export_word.py` and `scripts/manage_courses.py` exhibit significant vulnerabilities. Both scripts directly use user-provided file paths from `sys.argv` without proper sanitization, making them susceptible to path traversal attacks. Specifically, `manage_courses.py` can be prompted to read the content of arbitrary files (e.g., `/etc/passwd`) and save them within the skill's storage directory, and `export_word.py` could be used to write arbitrary `.docx` files to unintended locations. While there is no clear evidence of intentional malicious behavior within the provided code, these vulnerabilities present a high risk for arbitrary file access and potential data exfiltration if exploited by a malicious agent or through prompt injection, especially given the `SKILL.md`'s mention of '文件分发' (file distribution).
能力评估
Purpose & Capability
Name/description align with the code and instructions: generating course plans, saving them, listing them, and exporting Markdown -> .docx are exactly what the scripts and templates provide.
Instruction Scope
SKILL.md instructs the agent to read templates and the references/ directory and to use scripts to save and export plans. That is appropriate for a content-generation/management skill. However, the manage_courses.save flow reads an arbitrary content_path supplied to the save command and the skill instructs automatic saving to /home/ubuntu/yanxue_courses — these behaviors allow the skill (or an agent following it) to read arbitrary local files (if given a path) and create persistent files under a fixed host path, which may be used unintentionally to collect or persist sensitive local data if misused. The SKILL.md also mentions distributing exported files (e.g., via Feishu) but provides no implementation; that could lead to ad-hoc network sends if an agent is extended to do so.
Install Mechanism
No install spec (instruction-only) and included scripts are small, plain Python. No downloads from third-party URLs or package installs are specified. The export script does require Python packages (markdown, htmldocx) but those are common and expected for Markdown->DOCX conversion.
Credentials
The skill declares no required environment variables, no credentials, and no config paths beyond its own storage directory. Requested permissions (filesystem write under /home/ubuntu/yanxue_courses) are proportionate to a save/export feature, though still should be noted.
Persistence & Privilege
always:false and default autonomous invocation are used. The skill writes files into a fixed directory under /home/ubuntu which is normal for a local course manager, but this is persistent on-disk data. There is no evidence the skill modifies other skills or system-wide settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install yanxue - 安装完成后,直接呼叫该 Skill 的名称或使用
/yanxue触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
1
元数据
常见问题
yanxue 是什么?
📚 研学方案管理与智能生成技能。支持按城市、学段、景点、主题、时长生成完整的研学课程方案,并提供方案的保存、管理、Word 导出及文件导入导出功能。适用于中小学(1-9年级及高中)的研学旅行课程设计。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 360 次。
如何安装 yanxue?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install yanxue」即可一键安装,无需额外配置。
yanxue 是免费的吗?
是的,yanxue 完全免费(开源免费),可自由下载、安装和使用。
yanxue 支持哪些平台?
yanxue 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 yanxue?
由 Dmeteor8(@dmeteor8)开发并维护,当前版本 v1.0.0。
推荐 Skills