AutoGLM Toolkit

AutoGLM AI agent toolkit powered by Zhipu AI. Includes browser automation, deep research, web search, image generation, image search, and web page content ex...

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 0 · 195 · 0 current installs · 0 all-time installs

by@ye4wzp

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The skill describes heavy-weight capabilities (autonomous browser automation that can log in, like/comment/repost, take screenshots, and persist sessions) but is an instruction-only skill with no code or install spec. The registry metadata declares no required env vars or credentials, yet the SKILL.md documents an AUTOGLM_TOKEN plus appid/secret-based signing for API calls. It's unclear how browser automation or session persistence would be implemented locally versus delegated to a remote service; the credentials and storage claims are not represented in the declared requirements.

Instruction Scope

SKILL.md instructs the agent to perform web actions on third‑party sites (social media, shopping, docs), to login and fill forms, to take screenshots, and to persist sessions. It also specifies API endpoints for web-search, open-link, image generation, etc. The instructions reference authentication secrets (token, appid, secret) and session pools, but do not limit or explain how sensitive user credentials or scraped content are handled. There are contradictory statements: 'Login/captcha always requires manual user interaction' vs. 'Login to websites, fill forms.'

ℹ

Install Mechanism

No install spec or code files are present (instruction-only). That lowers filesystem/injection risk, but also increases ambiguity about runtime: the skill appears to assume an external AutoGLM service will perform actions. The lack of an authoritative homepage, source, or documented installation path makes it harder to validate the remote endpoints.

Credentials

Registry metadata lists no required env vars, but the SKILL.md defines AUTOGLM_TOKEN and shows code requiring appid and secret to compute X-Auth-Sign. This is an inconsistency: the skill will need sensitive credentials (token, app id, secret) to call the API, but they are not declared. Additionally, the skill's functionality implies it may request or handle user account credentials for third-party sites, yet there is no guidance or safeguards described.

ℹ

Persistence & Privilege

always:false and autonomous invocation allowed (defaults) — normal. However, the SKILL.md claims a session pool with 12-hour TTL and session persistence/resume behavior; the skill does not declare where sessions are stored or who controls them. Persistent session handling combined with browser automation capabilities increases the impact if credentials or screenshots are mishandled.

What to consider before installing

This skill is internally inconsistent: the runtime docs require an API token, app id, and secret and describe session persistence and browser automation, but the registry declares no credentials or install steps and there's no source/homepage to verify. Before installing or using it, ask the publisher for: (1) an authoritative homepage or code repo and proof that autoglm-api.zhipuai.cn is owned by the vendor; (2) an updated registry manifest that lists required env vars (AUTOGLM_TOKEN, APPID, SECRET) and explicit instructions for how/where sessions are stored; (3) clear data-handling and privacy rules for screenshots, scraped content, and third‑party account credentials. Do not provide real account passwords to the skill; if you test it, use throwaway/non-sensitive accounts and minimal privileges. If the publisher cannot clarify these gaps, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0

Download zip

latestvk979j8rkgb5hz84jbgx5w6m5p182p4ws

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

AutoGLM Toolkit (智谱 AI 工具箱)

A comprehensive AI agent toolkit powered by Zhipu AI. Includes 6 capabilities:

🌐 Browser Automation — Autonomous browser agent for any web task
🔍 Deep Research — Multi-round search + deep reading for structured reports
🔎 Web Search — Quick web search with concise results
🎨 Image Generation — Text-to-image generation
🖼️ Image Search — Search for stock images by keywords
📄 Web Page Reader — Extract full-text content from web pages

Authentication

All API calls share the same authentication mechanism.

Token

Obtain via local AutoGLM service or manual configuration.

Signing Headers (required for all requests)

Every request must include these headers:

Header	Value
`Authorization`	`Bearer <token>`
`X-Auth-Appid`	Your app ID
`X-Auth-TimeStamp`	Current Unix timestamp (seconds)
`X-Auth-Sign`	MD5(`appid` + `"&"` + `timestamp` + `"&"` + `secret`)

import hashlib, time

def make_headers(token, app_id, secret):
    ts = str(int(time.time()))
    sign = hashlib.md5(f"{app_id}&{ts}&{secret}".encode()).hexdigest()
    return {
        'Authorization': f'Bearer {token}',
        'X-Auth-Appid': app_id,
        'X-Auth-TimeStamp': ts,
        'X-Auth-Sign': sign,
        'Content-Type': 'application/json'
    }

1. Browser Automation Agent

Autonomous browser automation agent that can perform any web task.

Capabilities

Open web pages, search engines (Baidu/Google/Bing)
Browse social media (Weibo, Xiaohongshu, Zhihu, Douyin, Bilibili)
Like, comment, repost, bookmark posts
Login to websites, fill forms
Take screenshots, scrape web content
Online shopping comparisons
Operate online documents (Feishu Docs, Tencent Docs)

Usage

# Delegate entire task to autonomous browser subagent
browser_subagent(task="<task_description>", start_url="<url>")

Key Parameters

Parameter	Required	Description
`task`	✅	Task description (use user's exact words)
`start_url`	Optional	Starting URL for the task
`session_id`	Optional	Resume previous browser session
`auto_approve`	Optional	Auto-approve sensitive operations (default: false)

Session Management

Sessions persist in session pool with 12-hour TTL
Same-site tasks reuse existing sessions
Different-site tasks open new browser tabs
Login/captcha always requires manual user interaction

Important Rules

One task at a time (no concurrent browser tasks)
Always show screenshots in results
Default to 5 items when user doesn't specify quantity
Separate browser operations from non-browser operations (like saving to Excel)

2. Deep Research (深度调研)

Conduct in-depth research on any topic with structured output.

Process

Decompose: Break topic into 1-2 key search directions
Search: 1-2 rounds of web search (controlled quantity)
Deep Read: Open 1-3 important pages for full-text analysis
Report: Generate structured research report

API Endpoints

# Web Search
POST https://autoglm-api.zhipuai.cn/agentdr/v1/assistant/skills/web-search
Body: {"queries": [{"query": "<search_term>"}]}
# Returns: data.results[].webPages.value[] → name / url / snippet

# Open Link (Deep Read)
POST https://autoglm-api.zhipuai.cn/agentdr/v1/assistant/skills/open-link
Body: {"url": "<page_url>"}
# Returns: data.text → full page content

Execution Constraints

web-search max 2 calls
open-link max 3 calls
Show intermediate results after each call
Stop when sufficient information is gathered

Output Format

# [Topic] 深度调研报告

## 中间发现
## 概述
## 背景
## 现状分析
## 典型案例 / 代表性观点
## 发展趋势
## 总结
## 参考来源

3. Web Search (网络搜索)

Quick web search with structured results.

API

POST https://autoglm-api.zhipuai.cn/agentdr/v1/assistant/skills/web-search
Body: {"queries": [{"query": "<search_term>"}]}

Response

{
  "code": 0,
  "data": {
    "results": [{
      "webPages": {
        "value": [
          {"name": "Page Title", "url": "URL", "snippet": "Summary"}
        ]
      }
    }]
  }
}

Output Requirements

Summarize search results based on snippets
Append reference sources with links

4. Image Generation (AI 生图)

Generate images from text descriptions.

API

POST https://autoglm-api.zhipuai.cn/agentdr/v1/assistant/skills/generate-image
Body: {"text": "<image_description>"}

Response

{
  "code": 0,
  "data": {"image_url": "https://..."}
}

Display result as: ![Generated Image](image_url)

5. Image Search (搜图)

Search for images by keywords.

API

POST https://autoglm-api.zhipuai.cn/agentdr/v1/assistant/skills/search-image
Body: {"query": "<search_keywords>"}

Response

{
  "code": 0,
  "data": {
    "results": [{
      "original_url": "image_url",
      "caption": "description",
      "source": "source",
      "original_width": 1267,
      "original_height": 845
    }],
    "count": 4
  }
}

6. Web Page Reader (网页阅读)

Extract full-text content from a web page URL.

API

POST https://autoglm-api.zhipuai.cn/agentdr/v1/assistant/skills/open-link
Body: {"url": "<page_url>"}

Response

{
  "code": 0,
  "data": {"text": "Full page content..."}
}

Output Requirements

Extract data.text as page content
Summarize or display based on user's goal
Never fabricate content on API error

API Quick Reference

Capability	Endpoint	Method
Web Search	`/skills/web-search`	POST
Open Link	`/skills/open-link`	POST
Generate Image	`/skills/generate-image`	POST
Search Image	`/skills/search-image`	POST

Base URL: https://autoglm-api.zhipuai.cn/agentdr/v1/assistant

Notes

All APIs use the same authentication signature mechanism
Python 3 with standard library only (no extra dependencies)
Particularly effective for Chinese internet content
Browser agent requires Chromium-based browser with AutoClaw extension

Files

1 total

Select a file

Select a file to preview.

Comments

Loading comments…