← 返回 Skills 市场
lilianzhu

zadig

作者 lilianzhu · GitHub ↗ · v4.0.2
cross-platform ⚠ suspicious
638
总下载
2
收藏
1
当前安装
20
版本数
在 OpenClaw 中安装
/install zadig
功能描述
⚠️ 需要 ZADIG_API_URL + ZADIG_API_KEY | Zadig DevOps 平台 API 客户端
安全使用建议
This skill appears to be a straightforward Zadig API client. Before installing: 1) Confirm ZADIG_API_URL points to your intended Zadig server (not a public or unknown host). 2) Use a least-privilege API token (scoped, short-lived if possible) and avoid committing the token to VCS. 3) Review the included index.js (it makes HTTPS calls to whatever URL you provide and sets Authorization: Bearer <token>) so ensure no unexpected hardcoded endpoints exist. 4) Note the minor version mismatch in metadata (package/README vs registry) and prefer obtaining the skill from a trusted source or official repository if possible. If you need the agent to call other services, check how ZADIG_API_URL will be set and who can modify it.
功能分析
Type: OpenClaw Skill Name: zadig Version: 4.0.2 The skill is classified as suspicious due to a critical shell injection vulnerability found in the `getServiceLogsSync` function within `index.js`. This function uses `child_process.execSync` to execute a `curl` command, where parameters like `pod.name` and `containerName` are directly interpolated into the shell command string without proper sanitization. This allows an attacker who can control these input parameters to execute arbitrary commands on the host system running the OpenClaw agent. While this is a severe Remote Code Execution (RCE) risk, there is no clear evidence of intentional malicious behavior (e.g., data exfiltration to an unauthorized endpoint, persistence mechanisms) by the skill's author; it appears to be an implementation flaw rather than a deliberate attack.
能力评估
Purpose & Capability
Name/description claim a Zadig API client and the package.json, SKILL.md, and index.js consistently implement a Zadig OpenAPI client. Minor metadata inconsistency: package.json / README list version 4.0.1 while registry metadata shows 4.0.2 — not a security problem but worth noting.
Instruction Scope
SKILL.md instructs the agent to read a .env for ZADIG_API_URL and ZADIG_API_KEY and to call the Zadig server; index.js only reads process.env and makes HTTP(S) requests to the API_BASE derived from ZADIG_API_URL. There are no instructions to read unrelated files or exfiltrate data to other endpoints.
Install Mechanism
No install spec is provided (instruction-only runtime with included Node.js source). No downloads from external URLs or archive extraction. The skill includes a local index.js implementation rather than pulling arbitrary code at runtime.
Credentials
Declared required environment variables are ZADIG_API_URL and ZADIG_API_KEY (plus optional defaults). These are exactly the credentials needed to operate the client; no unrelated secrets or extra credentials are requested.
Persistence & Privilege
Skill is not always-enabled and does not request elevated platform-wide privileges. It declares read:env and network:https which are appropriate for its operation and does not modify other skills or global configuration.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install zadig
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /zadig 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v4.0.2
修复版本号一致性; 添加便捷方法: getServiceStatus, getServiceLogsSync; 修复日志 API 缺少参数问题
v4.0.1
添加便捷方法: getServiceStatus, getServiceLogsSync; 修复日志 API 缺少参数问题; 更新 package.json 元数据
v1.1.1
更新 package.json 元数据
v1.1.0
添加便捷方法: getServiceStatus, getServiceLogsSync; 修复日志 API 缺少参数问题
v4.0.0
Zadig Skill 4.0.0 includes major updates: - Completely rewritten documentation focused on configuration, required environment variables, permissions, and usage. - Emphasizes API authentication requirements with ZADIG_API_URL and ZADIG_API_KEY. - Lists core supported features (project/workflow/environment/service/build/test management). - Adds permission details and security best practices. - Provides clear usage examples for integration.
v3.0.0
Version 3.0.0 introduces a major update to Zadig Skill, providing a comprehensive DevOps platform API client. - Added support for Zadig OpenAPI, enabling project, workflow, environment, service, build, and test management. - Now requires setting ZADIG_API_URL and ZADIG_API_KEY as environment variables for authentication. - Enhanced with sample code and recommended security best practices. - Declares necessary permissions for environment and network access.
vv2.0.0
v2.2.0 — No code or documentation changes detected in this release. - No updates to code or documentation content. - No new features, bug fixes, or modifications noted.
v1.0.0
Initial release of zadig skill: OpenAPI-based DevOps platform client. - Requires ZADIG_API_URL and ZADIG_API_KEY environment variables for configuration. - Supports core features: project, workflow, environment, service, build, and test management via Zadig API. - Provides usage examples in JavaScript. - Details permission needs and security recommendations.
v2.2.0
- 更新至 Zadig v4.2 OpenAPI 规范,提升兼容性和功能完善度 - 详细说明环境变量配置,包括必填与可选项 - 明确权限需求,列出所需的 read:env 和 network:https 权限 - 核心功能涵盖项目、工作流、环境、服务、构建与测试管理 - 提供了新的使用示例与安全建议,加强易用性与安全性
v2.1.0
- 升级为 Zadig v4.2 OpenAPI 规范的 DevOps 平台客户端 - 更新环境变量配置说明,支持多环境(ZADIG_ACTIVE_ENV)和管理员 API - 显式列出所需权限和核心功能分类 - 增加安全建议和详细用法示例
v2.0.9
- Added SKILL.md documentation (initial release of documentation). - Version update to 2.0.9.
v2.0.8
- Updated package.json configuration. - Added a new SKILL.md file for documentation.
v2.0.7
Zadig 2.0.7 - Updated SKILL.md documentation. - No further details provided.
v2.0.6
zadig 2.0.6 - Added initial SKILL.md documentation. - No additional feature or bugfix information provided for this version.
v2.0.5
Version 2.0.5 - Added initial SKILL.md documentation.
v2.0.4
Zadig Skill 2.0.4 - 全面升级支持 Zadig v4.2 OpenAPI 规范,接口覆盖更全。 - 新增详细用法说明,涵盖项目、工作流、环境、构建、测试、发布、集群等核心功能。 - 强化配置指引,明确需要 ZADIG_API_URL 和 ZADIG_API_KEY 环境变量。 - 支持生产/测试环境、服务与镜像管理、版本与权限相关操作。 - 提供丰富示例代码,便于开发者快速集成与调用。
v2.0.3
在描述中明确标注必需的环境变量
v2.0.2
声明环境变量和运行时权限,添加安全说明文档
v2.0.1
支持多环境 (uat/admin), 自动巡检, 修复硬编码敏感信息
v2.0.0
支持多环境 (uat/admin), 自动巡检和自动修复功能
元数据
Slug zadig
版本 4.0.2
许可证
累计安装 1
当前安装数 1
历史版本数 20
常见问题

zadig 是什么?

⚠️ 需要 ZADIG_API_URL + ZADIG_API_KEY | Zadig DevOps 平台 API 客户端. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 638 次。

如何安装 zadig?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install zadig」即可一键安装,无需额外配置。

zadig 是免费的吗?

是的,zadig 完全免费(开源免费),可自由下载、安装和使用。

zadig 支持哪些平台?

zadig 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 zadig?

由 lilianzhu(@lilianzhu)开发并维护,当前版本 v4.0.2。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论