← 返回 Skills 市场
132
总下载
1
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install zrise-connect-release
功能描述
Connect and operate Zrise tasks via XML-RPC API using Lobster workflows for approval-based task execution and result writeback.
安全使用建议
This skill bundle is internally inconsistent: SKILL.md insists on an approval-based Lobster workflow, but other docs and code promote bypassing Lobster and spawning agents directly (including subprocess calls to 'openclaw agent') and expect Zrise, Telegram, and AI provider credentials. Before installing: 1) Inspect invoke_agent_for_task.py, workflow_manager_ui.py, and any code that spawns subprocesses or calls 'openclaw agent' to confirm whether it will bypass approvals or auto-writeback to Zrise. 2) Treat ZRISE_API_KEY, Telegram bot tokens, and model API keys as sensitive — do not provide them until you verify the code path that uses them. 3) Run in an isolated/test environment (not production) and with least-privilege credentials. 4) If you need strict approval gates, reject or remove the agent-to-agent direct-spawn code and enforce the Lobster workflows referenced in SKILL.md. 5) Consider asking the publisher for a clear statement which workflow mode is authoritative (Lobster-only vs agent-to-agent) and for a minimal manifest that lists the required env vars.
功能分析
Type: OpenClaw Skill
Name: zrise-connect-release
Version: 3.3.1
The skill bundle provides a comprehensive integration for the Zrise ERP system, including a web-based workflow manager and automated task processing. While the intent appears benign and aligned with its stated purpose, it contains several high-risk security vulnerabilities and behaviors. Specifically, `zrise_utils.py` explicitly disables SSL certificate verification (`ssl.CERT_NONE`), and `workflow_manager_ui.py` implements a web server that allows remote command execution with an authentication check that can be bypassed if a specific environment variable is not set. Additionally, the scripts perform environment modifications such as recursively removing macOS extended attributes (`xattr -cr`) and modifying the user's `~/bin` directory, which are aggressive for a standard skill bundle.
能力评估
Purpose & Capability
SKILL.md and the skill description state the integration must operate via Lobster workflows (approval-based writeback). However multiple docs and scripts (docs/AGENT_TO_AGENT.md, docs/SIMPLE_WORKFLOW_GUIDE.md, workflow_manager_ui.py snippets) explicitly recommend or implement bypassing Lobster and spawning agents directly (subprocess calling 'openclaw agent ...'), which would give agents broad ability to fetch, execute, spawn subagents, and write back results. That behavior contradicts the stated purpose of strict Lobster-mediated, approval-gated execution.
Instruction Scope
SKILL.md itself is narrow and prescriptive (use lobster run ... and wait for approvals). But other runtime instructions and code examples in the repo instruct the system to: (a) modify the UI to POST /api/sessions/{task_id}/trigger and spawn agents directly, (b) let agents 'decide' to spawn subagents and auto-writeback to Zrise, and (c) send approval requests via chat channels. These broader instructions allow automated actions and data writeback that go beyond the conservative approval flow claimed in SKILL.md.
Install Mechanism
There is no formal install spec, but SKILL.md shows a recommended Lobster install via git clone from GitHub and npm install/tsc (https://github.com/openclaw/lobster.git) and linking a binary into ~/bin. That is a traceable GitHub source (not a random URL) but requires running npm install and compiling TypeScript — a moderate installation step that will produce code on disk. No arbitrary remote binaries or obscure URLs were detected.
Credentials
The registry metadata claims no required env vars/credentials, yet README/docs enumerate and assume multiple sensitive settings (ZRISE_URL, ZRISE_DB, ZRISE_USERNAME, ZRISE_API_KEY, GEMINI_API_KEY, Telegram bot tokens, OpenClaw config entries). This mismatch is important: the skill will not function without Zrise credentials and possibly messaging/model API keys, so asking for no env vars in the manifest is inconsistent and understates required sensitive access.
Persistence & Privilege
always:false (good), but the codebase includes UI/server modifications and subprocess spawns that call 'openclaw agent' and may write state (state/ and config/ files). If deployed with default autonomous invocation, the agent-to-agent patterns in the repo would let spawned agents autonomously perform network operations and writebacks. The combination of autonomous agents and documented code that bypasses approval gates increases potential blast radius and should be treated cautiously.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install zrise-connect-release - 安装完成后,直接呼叫该 Skill 的名称或使用
/zrise-connect-release触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v3.3.1
zrise-connect-release 3.3.1
- Updated documentation in SKILL.md with a mandatory workflow process for task handling via Lobster, emphasizing agent approval steps.
- Clearly outlined steps for task processing, review, approval, revision, and automation.
- Added instructions and usage examples for relevant debug/manual scripts.
- Provided practical notes on Zrise XML-RPC API usage and integration specifics.
- Included key setup guidance for the Lobster workflow tool and clarified essential Zrise data concepts.
元数据
常见问题
Zrise Connect Release 是什么?
Connect and operate Zrise tasks via XML-RPC API using Lobster workflows for approval-based task execution and result writeback. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 132 次。
如何安装 Zrise Connect Release?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install zrise-connect-release」即可一键安装,无需额外配置。
Zrise Connect Release 是免费的吗?
是的,Zrise Connect Release 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Zrise Connect Release 支持哪些平台?
Zrise Connect Release 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Zrise Connect Release?
由 Khoa(@khoabd)开发并维护,当前版本 v3.3.1。
推荐 Skills