← 返回 Skills 市场
69
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install zuma-desktop-agent
功能描述
ZumaRobot Windows 桌面自动化机器人 SKILL 端代理工具,自动化发布小红书笔记、抖音、X/推特等,支持 AI 动态生成配图,一句话完成所有操作,提高效率。将用户意图映射为 `node zuma.js` 命令参数, 不做任何推理或扩展。 触发词:zuma 采集、X 采集、推文采集、小红书发笔记、...
安全使用建议
This skill contains executable code that does more than 'map a command' — it reads .env and process.env variables, queries the Windows registry, writes/copies files into the skill folder, may download remote release archives, and uploads images to an external image host (imgbb) using a hard-coded API key. Before installing: 1) only install if you fully trust the skill's source; 2) review the full zuma.js and upload.js code yourself (or have someone you trust do it); 3) remove or replace the hard-coded API key and explicitly set any required environment variables rather than relying on defaults; 4) run the skill in a restricted sandbox or VM and monitor network activity (especially outbound uploads and any downloads); 5) if you need only screenshot-to-local functionality, consider modifying the code to disable external uploads; 6) if anything is unclear, treat this skill as potentially data-leaking and avoid granting it access to sensitive accounts or files.
功能分析
Type: OpenClaw Skill
Name: zuma-desktop-agent
Version: 1.0.0
The skill bundle exhibits high-risk capabilities including remote payload downloading, registry modification, and screen capture. Specifically, 'zuma.js' contains logic to download ZIP files from Gitee/GitHub via PowerShell, extract them to 'C:\ZUMAAI', and modify the Windows Registry ('HKCU\SOFTWARE\ZumaRobot') to store installation paths. While these actions align with the stated purpose of a desktop automation agent, the use of 'execSync' to run PowerShell scripts for screenshots and the presence of a hardcoded ImgBB API key ('669ae31e56af5f66402d9ff239f1980d') represent significant security risks and potential for abuse if the agent is subverted.
能力标签
能力评估
Purpose & Capability
The skill claims only to map user intent to a 'node zuma.js' invocation, but the included code does much more: it reads a .env and process.env variables (ZUMA_SERVER_URL, API_KEY, TOKEN, IMGBB_API_KEY, DOWNLOAD_LINKS, etc.), performs HTTP requests to local and remote endpoints, synchronizes guide.md into the skill directory, and references remote download URLs for a Zuma desktop executable. Many of these capabilities (network downloads/uploads, registry access) are beyond a simple command-mapper and are not justified in the description.
Instruction Scope
SKILL.md's runtime instructions insist the agent only run node zuma.js commands and forbid using system shell commands, but the implementation performs actions that go beyond 'just run and return output': it may trigger npm installs, call local and remote HTTP endpoints, copy files into the skill directory, and the script uses child_process.execSync (registry queries). The skill documentation does not declare or explain these reads/writes, nor the use of external image upload services.
Install Mechanism
There is no install spec (instruction-only), but the code expects to run 'npm install' or 'pnpm install' when dependencies are missing. package.json pulls in node-fetch and form-data (reasonable), however the code also contains arrays of remote download URLs (GitHub/Gitee .zip releases) for a Windows executable — downloading/extracting those at runtime would be high risk. The repository also contains an embedded default IMGBB API key. No explicit, vetted release hosts or checksums are provided.
Credentials
The skill declares no required environment variables, yet zuma.js reads many env vars and a .env file (ZUMA_SERVER_URL, API_KEY, TOKEN, IMGBB_API_KEY, DOWNLOAD_LINKS, etc.). A non-trivial secret (IMGBB_API_KEY) is hard-coded in defaults. The mismatch between declared requirements (none) and actual env/credential usage is a clear proportionality problem and increases exfiltration risk (screenshots/images may be uploaded).
Persistence & Privilege
The skill does not set always:true and is user-invocable. The code writes files (syncGuide copies guide.md into the skill root), may create workspace directories under the user's home, and reads the Windows registry to find an installed exe path. Those behaviors are plausible for a desktop agent but should be considered persistent and able to modify files under user home. No evidence it modifies other skills or system-wide agent settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install zuma-desktop-agent - 安装完成后,直接呼叫该 Skill 的名称或使用
/zuma-desktop-agent触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
zuma-desktop-agent 1.0.0
- 初始发布,提供 ZumaRobot Windows 桌面自动化机器人命令代理。
- 支持自动化采集推文、小红书发笔记、查看日志、屏幕截图等核心操作。
- 严格命令映射,仅执行 node zuma.js 相关命令,禁止任何系统命令。
- 内置环境自检与业务操作自动流程,错误处理透明,不做任何推理或扩展。
- 交互式菜单指引用户选择具体业务,所有参数需显式输入并校验。
元数据
常见问题
Zuma Desktop Agent 是什么?
ZumaRobot Windows 桌面自动化机器人 SKILL 端代理工具,自动化发布小红书笔记、抖音、X/推特等,支持 AI 动态生成配图,一句话完成所有操作,提高效率。将用户意图映射为 `node zuma.js` 命令参数, 不做任何推理或扩展。 触发词:zuma 采集、X 采集、推文采集、小红书发笔记、... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 69 次。
如何安装 Zuma Desktop Agent?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install zuma-desktop-agent」即可一键安装,无需额外配置。
Zuma Desktop Agent 是免费的吗?
是的,Zuma Desktop Agent 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Zuma Desktop Agent 支持哪些平台?
Zuma Desktop Agent 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Zuma Desktop Agent?
由 biglobin(@biglobin)开发并维护,当前版本 v1.0.0。
推荐 Skills