← 返回 Skills 市场
silbosu

张雪峰AI助手

作者 silbosu · GitHub ↗ · v1.0.1 · MIT-0
cross-platform ⚠ suspicious
122
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install zhang-xuefeng-ai
功能描述
提供张雪峰风格的高考志愿、专业选择、院校分析及职业规划咨询,回答直白实在、有态度有观点。
安全使用建议
This skill is coherent with its stated purpose (local KB + style prompt) but has a few red flags you should consider before installing: 1) SKILL.md/README direct you to download an encrypted knowledge package from vdoob.com — verify the source and authenticity before downloading or running anything. 2) The skill will decrypt and extract that archive into ~/.zhang-xuefeng/knowledge_base (note README and code disagree about an exact path); extraction uses zipfile.extractall without path sanitization, so a malicious or tampered archive could overwrite files or write outside the intended directory. 3) The code includes pycryptodome (used) and 'requests' (unused) in dependencies — unnecessary packages increase surface area. 4) If you proceed, inspect the downloaded package (and its file list) in a safe environment or sandbox before activating; prefer running the skill in an isolated VM/container and avoid using passwords that are reused elsewhere. 5) If possible, ask the publisher for an official, signed release or checksum for the KB and clarification on the expected download path and activation flow.
功能分析
Type: OpenClaw Skill Name: zhang-xuefeng-ai Version: 1.0.1 The skill implements a gated content model that directs users to an external website (vdoob.com) to download an encrypted 'knowledge base' and purchase activation codes. The extraction logic in `src/kb_manager.py` uses `zipfile.extractall()` without path sanitization, which is a known ZipSlip vulnerability that could allow a malicious ZIP file to overwrite arbitrary files on the user's system. While the code lacks explicit malicious payloads, the combination of a third-party binary requirement and vulnerable extraction logic poses a significant security risk.
能力评估
Purpose & Capability
The skill's name/description match the included code: it loads a local encrypted knowledge base and uses that to answer high‑school/career questions in a particular style. However _meta.json/requirements list 'requests' even though the Python code does not use network calls; README/SKILL.md instruct users to download the KB from vdoob.com while kb_manager expects the KB under ~/.zhang-xuefeng/knowledge_base (README suggests ~/.zhang-xuefeng/kb/) — this path/name mismatch is a minor incoherence.
Instruction Scope
SKILL.md instructs users to fetch an encrypted knowledge package from an external site (vdoob.com) and the skill will '自动解密' (auto decrypt and load). The code implements decryption and extracts a zip archive into the user's home directory. There is no sanitization of archive paths (zip.extractall is used directly), which can allow path traversal or overwrite of files if the archive is malicious or tampered with. The instructions also push the user to obtain an activation code from the third party — this external dependency and the automatic unpacking broaden the attack surface.
Install Mechanism
There is no automated install spec (lowest install risk). Dependencies are declared (pycryptodome and requests). pycryptodome is used for AES decryption and is reasonable; requests is declared but unused in the code, which is an unnecessary dependency but not itself malicious.
Credentials
The skill does not request environment variables, secrets, or external credentials. The primary behavior is local file I/O in the user's home directory to load the KB — capability requests appear proportionate to the stated purpose.
Persistence & Privilege
The skill writes extracted files and a temporary zip under the user's home (~/.zhang-xuefeng/knowledge_base) and creates an index. It does not request 'always: true' or other elevated platform privileges, but the archive extraction will persist files on disk and could overwrite user files depending on archive contents.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install zhang-xuefeng-ai
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /zhang-xuefeng-ai 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
修复作者名称为vdoob Team
v1.0.0
张雪峰AI - 高考志愿咨询 Skill v1.0.0 - 首次发布,提供张雪峰风格的高考志愿、专业选择、院校分析与职业规划答疑。 - 支持从加密知识库检索资料,结合大模型生成直白有态度的回答。 - 关键词智能触发,覆盖志愿填报、选专业、就业方向等主要话题。 - 简易安装及知识库下载指导,便于快速上手使用。 - 明确问答范围,包括高考咨询、专业分析、院校与地域建议等。
元数据
Slug zhang-xuefeng-ai
版本 1.0.1
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 2
常见问题

张雪峰AI助手 是什么?

提供张雪峰风格的高考志愿、专业选择、院校分析及职业规划咨询,回答直白实在、有态度有观点。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 122 次。

如何安装 张雪峰AI助手?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install zhang-xuefeng-ai」即可一键安装,无需额外配置。

张雪峰AI助手 是免费的吗?

是的,张雪峰AI助手 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

张雪峰AI助手 支持哪些平台?

张雪峰AI助手 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 张雪峰AI助手?

由 silbosu(@silbosu)开发并维护,当前版本 v1.0.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 留言讨论