← 返回 Skills 市场
zhiliao
作者
jfeng03-dev
· GitHub ↗
· v1.0.0
· MIT-0
121
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install zhiliao
功能描述
知了 - AI 话题追踪与资讯聚合服务。通过自然语言创建追踪话题,自动从全网聚合相关文章并定时更新。适用场景:(1) 创建信息追踪话题(如追踪黄金价格、科技新闻、行业动态),(2) 获取和浏览话题下的聚合文章,(3) 设置定时任务定期抓取新文章,(4) 查看/管理话题列表,(5) 取消订阅不需要的话题。触发关键词...
安全使用建议
What to consider before installing:
- The core scripts appear coherent for a news/topic aggregator and legitimately require only ZHILIAO_API_KEY. You should provide your own API key rather than using any key bundled in the repository.
- The package includes .claude/settings.local.json which lists many broad file/command permissions and contains an apparent hard-coded API key string. Treat that file as suspicious: do not run or import its commands as-is. Remove or inspect it before use.
- Inspect the included shell scripts yourself; they only contact api-public.zhiliao.news and store files under ~/.zhiliao. If you accept the skill, configure ZHILIAO_API_KEY via an environment variable or local config and do not accept or paste any keys found in the bundle.
- Rotate the API key if you previously used the hard-coded key anywhere, and never publish your personal API key. If you plan to add cron jobs, ensure they run under the intended account and not as root.
- If you want stronger assurance: run the scripts in a sandboxed environment, review the .claude/settings.local.json (or delete it), and confirm the remote endpoints (api-public.zhiliao.news / h5.zhiliao.news) are legitimate before providing credentials.
If you want, I can extract and show just the lines from .claude/settings.local.json that contain the hard-coded API key and the most concerning permission entries, so you can inspect them directly.
功能分析
Type: OpenClaw Skill
Name: zhiliao
Version: 1.0.0
The skill bundle is classified as suspicious due to the inclusion of a highly permissive `.claude/settings.local.json` file, which appears to be a leaked development configuration. This file grants broad permissions, including 'git push', 'npm install', and access to specific local file paths (e.g., `/Users/jinfeng/Documents/deeplang/**`), and contains a hardcoded API key (`sk_5f7d...`). While the core logic in the shell scripts (e.g., `create-topic.sh`, `fetch-articles.sh`) appears benign and aligned with the stated news aggregation purpose, the presence of these excessive permissions and sensitive artifacts represents a significant security risk and a lack of bundle sanitization.
能力评估
Purpose & Capability
Name/description, declared primaryEnv (ZHILIAO_API_KEY) and the included shell scripts (create-topic, fetch-articles, list-topics, unsubscribe, check-articles) are coherent: they call the zhiliao API, store data under ~/.zhiliao, and output Markdown. No unrelated cloud credentials or unrelated binaries are requested.
Instruction Scope
SKILL.md and the shell scripts stay within the expected scope (reading/writing ~/.zhiliao, calling api-public.zhiliao.news, using curl/jq/iconv). However, the included .claude/settings.local.json contains many allowed commands and read rules that reference arbitrary local paths (e.g. Read(//Users/jinfeng/Documents/deeplang/**), many Bash(...) entries) which go well beyond the skill's stated purpose and could lead an agent to examine unrelated files or run unrelated commands.
Install Mechanism
No install spec is provided (instruction-only). The skill includes shell scripts which will run locally but there is no network download/install step in the manifest. This is lower risk than arbitrary remote installs.
Credentials
The declared credential (ZHILIAO_API_KEY) is appropriate for the API-based functionality. However, the repository includes a .claude/settings.local.json containing an exposed API key string and many permissive commands/paths. Embedding a secret in the package and recommending commands that export it (or point to local user files) is disproportionate and can leak credentials or encourage unsafe execution.
Persistence & Privilege
The skill does not set always:true and allows normal autonomous invocation. But the included .claude/settings.local.json attempts to grant broad runtime permissions (file reads, arbitrary bash commands, WebFetch domains) which, if used by an agent, would increase the skill's effective privileges and access to user files—this is unnecessary for the described aggregator functionality.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install zhiliao - 安装完成后,直接呼叫该 Skill 的名称或使用
/zhiliao触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
知了 (zhiliao) 1.0.0 — 首个版本发布
- 提供基于自然语言的话题追踪与全网资讯聚合服务。
- 支持两步式话题创建(预览+确认),并可直接关注或新建追踪主题。
- 可获取和本地缓存订阅话题的最新相关文章,支持分页浏览。
- 支持话题列表查看、详细信息展示与一键取消订阅。
- 内置定时任务与批量更新功能,便于实现自动化资讯推送。
- 所有数据及配置本地私有化保存,命令行工具易于集成与扩展。
元数据
常见问题
zhiliao 是什么?
知了 - AI 话题追踪与资讯聚合服务。通过自然语言创建追踪话题,自动从全网聚合相关文章并定时更新。适用场景:(1) 创建信息追踪话题(如追踪黄金价格、科技新闻、行业动态),(2) 获取和浏览话题下的聚合文章,(3) 设置定时任务定期抓取新文章,(4) 查看/管理话题列表,(5) 取消订阅不需要的话题。触发关键词... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 121 次。
如何安装 zhiliao?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install zhiliao」即可一键安装,无需额外配置。
zhiliao 是免费的吗?
是的,zhiliao 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
zhiliao 支持哪些平台?
zhiliao 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 zhiliao?
由 jfeng03-dev(@jfeng03-dev)开发并维护,当前版本 v1.0.0。
推荐 Skills