← 返回 Skills 市场
111
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install zhipu-image
功能描述
智谱 GLM-Image 网页端图片生成与下载。用于:检查 image.z.ai 登录态、必要时自动打开浏览器登录、抓取浏览器 Cookie、通过网页接口生成图片并下载到本地。适用于“用智谱生图”“生成一张图并保存/发送”“检查智谱登录状态”“自动打开智谱登录页”等场景。
安全使用建议
This skill will capture your browser session cookies for image.z.ai (it uses Chrome DevTools Protocol on port 18800) and save them as a plaintext JSON session file in your user home directory. Those cookies can grant access to your account, so only use this on a machine you trust. Note also: the code is Windows-oriented (uses USERPROFILE and start with cmd.exe) despite no OS restriction in metadata; if you're on macOS/Linux it likely won't work without modification. There's an odd fallback require path (an absolute path to another user's workspace) in zhipu_api.js — likely leftover developer code; it won't necessarily be malicious but is a red flag you may want to inspect. Before installing: review the JS source yourself, run npm install in an isolated environment (or a VM/container), ensure you understand and are comfortable with storing cookies in ~/.zhipu_image_session.json (or USERPROFILE), and consider manually exporting cookies rather than auto-capture if you have security concerns. After use, delete the session file if you no longer want stored credentials.
功能分析
Type: OpenClaw Skill
Name: zhipu-image
Version: 2.0.0
The skill automates image generation by extracting session cookies from a browser using the Chrome Remote Debugging Protocol (CDP) on port 18800, which is a high-risk method for session management. A notable indicator of poor practice or environment-specific targeting is found in `scripts/zhipu_api.js`, which contains a hardcoded absolute path to a specific user's directory (`C:\Users\huang\...`) for loading dependencies. While the data flow appears limited to the target service (image.z.ai), the combination of cookie scraping and hardcoded local paths makes this bundle suspicious.
能力评估
Purpose & Capability
The name/description (web login-based image generation for image.z.ai) align with the code: it captures browser cookies, probes image.z.ai endpoints, generates images, and saves files. However the SKILL.md and code disagree about session file location (SKILL.md says ~/.zhipu_image_session.json; code writes to USERPROFILE on Windows). The skill also implicitly requires a browser with remote debugging port 18800 and a Node runtime, but metadata did not declare these as required binaries/configs.
Instruction Scope
The SKILL.md explicitly instructs the agent to capture browser login state, open the login page, and save cookies; the code implements this. This scope is within the described purpose. Important caveat: capturing cookies means collecting session tokens (sensitive data). The code also includes a network monitor helper for reverse-engineering web requests; that is reasonable for maintenance but broad in that it inspects network traffic when used.
Install Mechanism
No remote downloads or extract steps are present. Dependencies are standard npm packages (chrome-remote-interface) declared in package.json / package-lock.json. There is no install spec in the skill bundle, so the risk surface is limited to included JS files and any npm install the user runs locally.
Credentials
The skill does not request environment variables or external credentials, but it programmatically captures browser cookies (sensitive session tokens) via Chrome DevTools Protocol on port 18800 and stores them plaintext in a session file in the user's home directory. Capturing and storing cookies is proportionate to a web-login approach, but it is privacy-sensitive and should be explicit to the user. Additional issues: hard-coded use of process.env.USERPROFILE (Windows) and an unconditional dependency on a browser remote debugging port are not declared in metadata.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and only stores its own session file in the user's home directory. It opens the browser (via cmd.exe/start) and may wait for user login, which are normal behaviors for a web-login helper.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install zhipu-image - 安装完成后,直接呼叫该 Skill 的名称或使用
/zhipu-image触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.0.0
2.0: fix local login/session workflow, improve image generation flow, refresh packaging for current workspace
v1.0.0
Initial release: session-aware image.z.ai login flow, automatic browser login, and prompt-to-image download helper.
元数据
常见问题
zhipu-image 是什么?
智谱 GLM-Image 网页端图片生成与下载。用于:检查 image.z.ai 登录态、必要时自动打开浏览器登录、抓取浏览器 Cookie、通过网页接口生成图片并下载到本地。适用于“用智谱生图”“生成一张图并保存/发送”“检查智谱登录状态”“自动打开智谱登录页”等场景。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 111 次。
如何安装 zhipu-image?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install zhipu-image」即可一键安装,无需额外配置。
zhipu-image 是免费的吗?
是的,zhipu-image 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
zhipu-image 支持哪些平台?
zhipu-image 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 zhipu-image?
由 huangm199(@huangm199)开发并维护,当前版本 v2.0.0。
推荐 Skills