← 返回 Skills 市场
ziniao-assistant
作者
ziniao-open
· GitHub ↗
· v1.0.1
· MIT-0
1416
总下载
2
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install ziniao-assistant
功能描述
Control Ziniao Browser via the local Ziniao bridge. On skill load or before first invoke, GET /zclaw/tools and treat returned name list as the only allowed t...
安全使用建议
This skill appears to do what it says (talk to a local Ziniao bridge), but the SKILL.md expects an API key and a local config file while the registry metadata declares none — that's the main inconsistency. Before installing:
- Confirm whether the skill actually needs ZCLAW_API_KEY and whether that key will be read from an env var or from ~/.zclaw/config.json. If so, the metadata should list that config path and env var.
- Understand that the skill will call localhost (default http://127.0.0.1:9481). Only install if you trust the local bridge running there — a compromised local service could misuse the skill's ability to invoke tools or accept posted data.
- Ask the publisher to update metadata to declare required env vars/config paths, and to document exactly what information is read from ~/.zclaw/config.json. Prefer explicit declared requirements over implicit file reads.
- Consider running the agent in a restricted environment (or without the API key) until you confirm behavior. If you must provide ZCLAW_API_KEY, store it securely and consider limiting its privileges.
- If you are uncomfortable with the skill reading a file in your home directory or with the documented operations (download_file, get_logs, write-to-Downloads), do not install until the publisher clarifies and the metadata is corrected.
功能分析
Type: OpenClaw Skill
Name: ziniao-assistant
Version: 1.0.1
The skill provides extensive browser automation capabilities via a local bridge (defaulting to 127.0.0.1:9481), including executing JavaScript (execute_script) and downloading files (download_file). It also instructs the agent to read and write API keys to a configuration file in the user's home directory (~/.zclaw/config.json). While these actions are aligned with the stated purpose of controlling the Ziniao Browser and include safety constraints like tool allowlisting and 'Stop on Blocker' logic, the combination of filesystem modification and broad browser control constitutes a high-risk capability set.
能力评估
Purpose & Capability
The name and description (control the Ziniao Browser via a local Ziniao bridge) align with the instructions to GET /zclaw/tools and POST /zclaw/tools/invoke on a local base URL (default http://127.0.0.1:9481). That functionality is coherent with the stated purpose. However, the skill metadata declares no required environment variables or config paths even though the SKILL.md references ZCLAW_BASE_URL / ZINIAO_ZCLAW_BASE_URL, ZCLAW_API_KEY, and ~/.zclaw/config.json as runtime inputs — this omission is inconsistent with expected capability declarations.
Instruction Scope
The SKILL.md explicitly instructs the agent to: (1) perform network calls to the local bridge (GET and POST to /zclaw/tools endpoints), (2) read an API key from an environment variable (ZCLAW_API_KEY) or from the local file ~/.zclaw/config.json, and (3) retain an allowlist in session memory. The local network calls and session state are within scope. The instruction to read ~/.zclaw/config.json (a user home config file) is out-of-band relative to the skill metadata (which lists no required config paths) and could expose sensitive credentials; this access should have been declared. The skill also documents commands that may write/download files via the bridge (download_file) and fetch bridge logs (get_logs) — these are plausible for a browser-bridge skill but should be documented as they affect local data.
Install Mechanism
This is an instruction-only skill with no install spec and no bundled code. That minimizes disk write / remote code execution risk from the skill package itself.
Credentials
The SKILL.md expects an API key and base URL via environment variables (ZCLAW_BASE_URL / ZINIAO_ZCLAW_BASE_URL, ZCLAW_API_KEY) and a local config file (~/.zclaw/config.json) as an alternative for the API key. The registry metadata, however, declares no required env vars or required config paths. Requiring access to a local config file or API key is reasonable for this functionality, but it should be declared explicitly. The undocumented expectation to read ~/.zclaw/config.json or an env var increases the chance of unexpected credential access or leakage if the skill is installed without user awareness.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide persistence. Autonomous invocation (disable-model-invocation: false) is the platform default; it is not by itself a red flag. The skill does not request modification of other skills or system settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install ziniao-assistant - 安装完成后,直接呼叫该 Skill 的名称或使用
/ziniao-assistant触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
**Ziniao Assistant 1.0.1 introduces dynamic tool discovery for safer, more reliable browser control.**
- On skill load or before first tool use, fetch available tools from the bridge via GET /zclaw/tools and only allow invoking tool names from this live list.
- Prevents using hallucinated or invalid tool names by always mapping user actions to names in the session's allowedTools.
- Retains static fallback allowlist for tool names only if the bridge registry cannot be reached.
- No changes to browser control capabilities or stop-on-blocker logic.
- Updated documentation for dynamic discovery, static fallback, and stricter tool invocation flow.
v1.0.0
Ziniao Assistant v1.0.0
- Initial release: allows control of Ziniao Browser via the local ZClaw bridge using a unified set of Core Tools.
- Supports listing/opening stores, navigation, page reading, clicking, input, screenshots, automation, and file/download management exclusively via `POST /zclaw/tools/invoke`.
- Enforces hard constraints: stop immediately on bridge/tool failure, no retries or follow-up actions, and no custom scripting or templates.
- Provides user-configurable API key management via conversation, environment variable, or config file for seamless authentication.
- Clear separation of valid/invalid tool names and strict usage of Core Tools only.
元数据
常见问题
ziniao-assistant 是什么?
Control Ziniao Browser via the local Ziniao bridge. On skill load or before first invoke, GET /zclaw/tools and treat returned name list as the only allowed t... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1416 次。
如何安装 ziniao-assistant?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install ziniao-assistant」即可一键安装,无需额外配置。
ziniao-assistant 是免费的吗?
是的,ziniao-assistant 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
ziniao-assistant 支持哪些平台?
ziniao-assistant 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 ziniao-assistant?
由 ziniao-open(@ziniao-open)开发并维护,当前版本 v1.0.1。
推荐 Skills