← 返回 Skills 市场
ZeroRules — Deterministic Task Interceptor
作者
deeqyaqub1-cmd
· GitHub ↗
· v1.0.3
1848
总下载
2
收藏
1
当前安装
4
版本数
在 OpenClaw 中安装
/install zero-rules
功能描述
Intercept deterministic tasks (math, time, currency, files, scheduling) BEFORE they hit the LLM. Saves 50-70% on token costs by resolving simple queries locally with zero API calls.
安全使用建议
This skill appears to do what it says: run the local Node script to answer trivial deterministic queries without calling the LLM. Before installing, review rules.js yourself (or inspect the provided files) if you want certainty: it will create ~/.zerorules-session.json (match counts, timestamps, token/cost totals) and will list directories you ask it to list. Currency conversions use exchangerate.host over the network (3s timeout) and fall back to offline rates if unavailable — if you need fully offline operation, disable/remove the currency rule. There are no requested credentials or opaque remote installers, but confirm the homepage/GitHub source if provenance matters. Test with `/zero-rules test <message>` to verify behavior in your environment.
功能分析
Type: OpenClaw Skill
Name: zero-rules
Version: 1.0.3
The skill is classified as suspicious due to a critical shell injection vulnerability risk stemming from the instructions in `SKILL.md`. The markdown explicitly directs the AI agent to execute the `rules.js` script using the `exec` tool with the user's message as a direct argument (`node {baseDir}/rules.js "<user message>"`). This creates a high-severity RCE vulnerability if the OpenClaw agent's `exec` tool does not robustly sanitize or quote the user's input before passing it to the underlying shell. While the `rules.js` script itself demonstrates good security practices (e.g., blocking path traversal, avoiding `eval`/`exec` internally, using safe Node.js APIs for file and network operations), the method of invocation described in `SKILL.md` introduces a significant external attack surface.
能力评估
Purpose & Capability
Name/description (math, time, currency, files, dates) match the code and runtime instructions. The only required binary is node, which is reasonable for a Node.js rule engine. The skill reads/writes a local session file and lists directories for the 'files' rule — both are expected for the stated features.
Instruction Scope
SKILL.md instructs the agent to run rules.js with the user's message and to use the script result as the reply when matched. The script legitimately performs directory listings, computes math, resolves timezones, and calls an exchange-rate API. It persists lightweight session state (~/.zerorules-session.json). These behaviors stay within the advertised scope but you should be aware that invoking the files rule will enumerate directory entries you request and the session file is created in your HOME directory.
Install Mechanism
No install spec or remote downloads; skill is provided as local files (rules.js, SKILL.md, README). This is low-risk compared to fetching/executing remote archives. Node is the only binary required.
Credentials
No environment variables or credentials are required. The code uses process.env.HOME (to expand ~ and to store the session file). It makes a single outbound network call (https://api.exchangerate.host) for currency conversions; network use is limited and has a 3s timeout with offline fallbacks. Session file stores only match counts, token/cost totals, timestamps and rule names (no user queries per SKILL.md and code).
Persistence & Privilege
always:false and agent-autonomy settings are default. The only persistence is a small JSON session file in the user's HOME; the skill does not modify other skills or system-wide settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install zero-rules - 安装完成后,直接呼叫该 Skill 的名称或使用
/zero-rules触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.3
- Added Node.js as a required binary in the skill metadata (now lists "requires": {"bins":["node"]}).
- Updated security & transparency section: now explicitly states the session file only records session stats and a history of rule matches, never any user messages or input text.
- No changes to the skill’s functionality or usage.v1.0.3 — Declared Node.js in required bins. Session file explicitly stores only counters (match count, tokens saved, cost saved) and rule history ({rule, timestamp, tokens}) — no user messages or queries are ever persisted. Removed unused child_process import. Added full Security & Transparency section.
v1.0.2
v1.0.2 — Removed unused child_process.execSync import (zero shell execution). Added Security & Transparency section to SKILL.md. Documented: file listing uses fs.readdirSync only (never reads contents), single outbound call (exchangerate.host for currency, with offline fallback), path expansion via process.env.HOME not shell.
v1.0.1
Fixed metadata — removed false binary requirement so skill loads as ready
v1.0.0
v1.0.0 — Initial release. 5 built-in rules: math, time, currency, files, dates. Intercepts deterministic tasks before LLM. Zero tokens, zero latency.
元数据
常见问题
ZeroRules — Deterministic Task Interceptor 是什么?
Intercept deterministic tasks (math, time, currency, files, scheduling) BEFORE they hit the LLM. Saves 50-70% on token costs by resolving simple queries locally with zero API calls. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1848 次。
如何安装 ZeroRules — Deterministic Task Interceptor?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install zero-rules」即可一键安装,无需额外配置。
ZeroRules — Deterministic Task Interceptor 是免费的吗?
是的,ZeroRules — Deterministic Task Interceptor 完全免费(开源免费),可自由下载、安装和使用。
ZeroRules — Deterministic Task Interceptor 支持哪些平台?
ZeroRules — Deterministic Task Interceptor 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 ZeroRules — Deterministic Task Interceptor?
由 deeqyaqub1-cmd(@deeqyaqub1-cmd)开发并维护,当前版本 v1.0.3。
推荐 Skills