ZSXQ Digest

Summarize recent posts from followed Knowledge Planet circles into a daily digest prioritizing key updates using local tokens or browser relay for access.

This skill is coherent with its stated goal, but it deals with highly sensitive local authentication artifacts (zsxq_access_token and browser cookies). Before installing or running: 1) Inspect the included scripts (capture_browser_cookies.js, auth_bootstrap.py, run_browser_bootstrap.py, etc.) to ensure you understand what they do. 2) Keep token files under a gitignored directory (state/session.token.json) and never paste tokens into public channels. 3) If you use browser bootstrap, only supply wsUrl values that point to a local/controlled DevTools endpoint (localhost); do not point to remote or unknown hosts. 4) Run the skill in an isolated environment or test host if you are unsure. 5) Prefer manual review of any captured cookie files before finalization, and revoke/rotate the token if you suspect it was mishandled. If you want stronger assurance, ask the author for explicit manifests of which cookies/fields are extracted and for code signatures or reproducible builds.

Type: OpenClaw Skill Name: zsxq-digest Version: 0.1.0 The zsxq-digest skill bundle is a highly functional tool designed to summarize updates from the Knowledge Planet (ZSXQ) platform. While it possesses high-risk capabilities—specifically the use of Chrome DevTools Protocol (CDP) in scripts like 'capture_browser_cookies.js' and 'prepare_zsxq_qr_bootstrap.js' to extract session cookies—these actions are transparently documented and strictly aligned with the stated purpose of local authentication bootstrap. The bundle demonstrates strong security awareness through 'scripts/package_public_release.py', which explicitly scrubs sensitive state files before packaging, and 'SKILL.md' instructions that mandate local-only storage of credentials in gitignored paths. No evidence of intentional data exfiltration, unauthorized remote control, or malicious prompt injection was found.