← 返回 Skills 市场
cybluesky

zhuocha

作者 cybluesky · GitHub ↗ · v1.3.0 · MIT-0
cross-platform ⚠ suspicious
136
总下载
0
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install zhuocha
功能描述
招投标重复项目核实助手。当需要分析同一 reid 下的多条 jy_id 是否为真正重复时激活。数据源:dify_ns_re_readsource(reid分组) + dwd_bid_it_all(明细字段,5200端口) + ods_bid_content(原始正文,5100端口)。典型触发语:「找茬大师」「分析...
安全使用建议
This skill appears to implement the duplicate-tender checking workflow described, but there are important mismatches and risky instructions you should address before installing or running it: - Implementation vs docs mismatch: SKILL.md requires reading detailed fields from dwd_bid_it_all on port 5200, but the included script reads those fields from the dify_ns_re_readsource table via the 6100 endpoint. Confirm which data source is correct and update docs or code. Also the doc admonition to avoid LEFT() in SQL contradicts the script, which uses LEFT(detail, N). - Dangerous DB operation: The documentation suggests using TRUNCATE TABLE result.dify_ns_re_result to recover from bad inserts. TRUNCATE removes all data and requires high DB privileges — do NOT run this without backups, explicit authorization, and an audit of who can perform it. Ask the author for safer remediation steps (e.g., DELETE with WHERE + logged backup, or use transactions and a staging table). - Network / auth: The script posts and queries internal HTTP endpoints (no auth in code). Confirm these endpoints require authentication and that writing to result.dify_ns_re_result is allowed for the account/service that will run the skill. If these endpoints are unauthenticated, running the skill could leak or corrupt internal data. - Testing & fixes: Run the script in a safe, isolated environment (or against a staging copy of the APIs and DB) and verify behavior. Check/fix SQL generation when 'done' set is empty to avoid malformed queries. Verify the list of jy_id written to rd is correctly formed and that the payload encoding/charset is handled safely (the docs mention Chinese punctuation problems). If you cannot validate the above with the skill author or test environment, treat this skill as untrusted and avoid running it against production/internal services.
功能分析
Type: OpenClaw Skill Name: zhuocha Version: 1.3.0 The skill bundle is designed for bidding project deduplication but contains high-risk patterns, including hardcoded internal IP addresses (192.168.88.51) and SQL injection vulnerabilities. Both SKILL.md and scripts/zhuocha_finder.py construct SQL queries using string formatting with unsanitized inputs, and the instructions direct the agent to perform direct database inserts via a web API. While these capabilities appear aligned with the stated business purpose, the lack of input validation and direct internal network interaction represent significant security flaws.
能力评估
Purpose & Capability
The skill claims to verify duplicate tender records using three internal data sources and to write results back to an internal result table. The SKILL.md and the Python script both target the same internal HTTP APIs on 192.168.88.51 and the same DB tables, which is consistent with the stated purpose. However, the SKILL.md insists the detailed fields must come from the dwd_bid_it_all table on port 5200, while the shipped script fetches those fields from TABLE_RE (dify_ns_re_readsource via 6100) instead of calling the 5200 API — a mismatch that indicates the implementation does not follow the documented data-source requirement.
Instruction Scope
SKILL.md instructs the agent/program to query internal HTTP APIs and to write JSON INSERTs into result.dify_ns_re_result; that matches the script. Concerns: (1) SKILL.md explicitly recommends using Python urllib and avoiding bash/curl for writing results — the included script uses requests (Python) which is fine, but the docs and code disagree on some SQL practice (SKILL.md says 'do not use LEFT() in SQL; fetch full detail and slice in Python', yet the script's get_detail uses LEFT(detail, N) in its SQL). (2) The docs state the API does not support DELETE/UPDATE and recommend TRUNCATE TABLE result.dify_ns_re_result to clear bad rows — TRUNCATE is a destructive, high-privilege operation and recommending it as the remedy is dangerous and disproportionate; the skill gives no guidance about backups, authorization, or safeguards. (3) Some SQL builders in the script can produce syntactically invalid queries when the 'done' set is empty (e.g., WHERE reid NOT IN ()), indicating fragile behavior that could produce unexpected errors or broad queries.
Install Mechanism
This is an instruction-only skill with a small Python script and no install specification. Nothing is written to disk by an installer step and no external packages are being pulled by an automated installer. Risk from install mechanism is low.
Credentials
The skill requests no environment variables or credentials, which is coherent. It does, however, perform network calls to internal IPs (192.168.88.51 on ports 5100/6100 and references 5200). Network access to internal APIs is expected for this use-case, but it means the skill will read and write internal DB data without any declared authentication. Ensure the target APIs require appropriate auth and logging; otherwise the script could read/write sensitive internal data unexpectedly.
Persistence & Privilege
The skill does not request permanent inclusion (always: false) and contains no code that modifies other skills or system-wide agent config. It writes to a result table in the target environment, which is expected functionality for this task.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install zhuocha
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /zhuocha 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.3.0
zhuocha 1.3.0 - 增强写入指导:新增明确要求仅用 Python `urllib` 写入数据库,禁止 bash/curl,避免因中文逗号切割导致错误(re_result 字段为 NULL)。 - 强化 SQL 查询建议:detail 字段禁止 SQL 截取,改为 Python 侧[:150]切片,避免兼容性问题。 - 细化多 jy_id 组处理、API 只支持 INSERT 不支持 UPDATE/DELETE 的提示。 - 输出报表格式优化,支持输出累计数量。 - 修正和充实若干常见判定模式说明,提升判别准则细致度。
v1.2.0
**Changelog for zhuocha v1.2.0** - Clarified and updated the data table usage: 明细字段 now must be queried from `dwd_bid_it_all` on port 5200, not from `dify_ns_re_readsource` (which only contains reid and jy_id). - Added explicit separation of roles for each table and endpoint in the documentation. - Enhanced instructions to always use the correct source for business fields (project information, etc.), reducing errors from referencing incomplete data. - Improved documentation to reflect the updated field sources throughout workflow explanations and examples.
v1.1.0
**Changelog for zhuocha v1.1.0** - Clarified that proj_name is only a supplementary reference—final duplication judgments must rely on project number, customer name, and procurement content from the detail field. - Added explicit instructions for handling records with invalid or empty proj_name: always check detail for confirmation. - Strengthened logic and tips for multi-jy_id groups, especially to avoid misjudgment when proj_name is invalid but grouped together. - Expanded typical non-duplicate patterns, including more cases of invalid proj_name and incorrect grouping. - Enhanced warnings and step-by-step guidance against false positives in second announcement situations (“二次公告误判”).
v1.0.0
Initial release of zhuocha: a bid project deduplication verification assistant. - Supports verification of repeated projects under the same `reid` via field and content comparison. - Outlines step-by-step judging logic using fields: title, proj_name, customer_standard_new, detail, att_ext. - Provides detailed SQL query and result writing instructions, with strict data handling requirements. - Includes tips for complex cases (e.g., multi-batch, secondary announcements, and attachments). - Offers user summary reporting and guidelines for batch operation and progress tracking.
元数据
Slug zhuocha
版本 1.3.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 4
常见问题

zhuocha 是什么?

招投标重复项目核实助手。当需要分析同一 reid 下的多条 jy_id 是否为真正重复时激活。数据源:dify_ns_re_readsource(reid分组) + dwd_bid_it_all(明细字段,5200端口) + ods_bid_content(原始正文,5100端口)。典型触发语:「找茬大师」「分析... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 136 次。

如何安装 zhuocha?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install zhuocha」即可一键安装,无需额外配置。

zhuocha 是免费的吗?

是的,zhuocha 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

zhuocha 支持哪些平台?

zhuocha 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 zhuocha?

由 cybluesky(@cybluesky)开发并维护,当前版本 v1.3.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论