ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

collage-application

v1.0.3

提供高考志愿填报策略指导,根据考生省份、选科、分数、位次、意向生成科学志愿方案,并输出可视化志愿单;当用户需要进行高考志愿填报时使用

0· 137·0 current·0 all-time
by@ym9zep

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for ym9zep/collage-application.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "collage-application" (ym9zep/collage-application) from ClawHub.
Skill page: https://clawhub.ai/ym9zep/collage-application
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install collage-application

ClawHub CLI

Package manager switcher

npx clawhub@latest install collage-application
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The stated purpose (generate gaokao volunteer plans and visualized forms) can justify calling a remote service, but the package does not disclose the external endpoint. The create script posts user-sensitive fields (province, score, rank, courses, majors) to https://wxc-college-uat.randomlife.cn which is not mentioned in SKILL.md or metadata — a transparency mismatch.
!
Instruction Scope
SKILL.md instructs the agent to run local verification and generation scripts, which is fine, but it also instructs use of an API key environment variable (WENXIANG_API_KEY). The instructions do not disclose that user data will be sent to a third‑party HTTP endpoint, nor do they document what is sent. Sending personally sensitive exam data externally without explicit disclosure is out of scope for a user-facing guidance skill.
Install Mechanism
No install spec; only a note to pip install requests. No archive downloads or unusual install behavior were present in the manifest.
!
Credentials
SKILL.md claims the generator will auto-read WENXIANG_API_KEY from the environment (or accept it as a parameter), but the create_collage_application.py code does not read that env var nor attach any API key to the HTTP request. The skill metadata declares no required env vars but the documentation references one — this mismatch could lead users to provide credentials that may be mishandled or leaked.
Persistence & Privilege
The skill is not always-enabled, has no install that modifies agent/system config, and does not request ongoing privileges or persistent presence.
What to consider before installing
This skill calls an external server with users' exam data but does not disclose that endpoint, and SKILL.md and the scripts disagree about API key usage. Before installing or using it: (1) do not provide real sensitive data (exact score, rank, personal identifiers) until you verify where data is sent; (2) ask the publisher for the official source/homepage and why data is POSTed to wxc-college-uat.randomlife.cn; (3) request code changes so the endpoint and API key handling are explicit (or make generation work fully offline); (4) if you must test, run the scripts in a sandbox / offline environment and inspect network traffic; (5) avoid entering any API keys into the dialog unless the developer documents exactly how keys are used and stored.

Like a lobster shell, security has layers — review code before you run it.

latestvk976rjzxc8c7ym4jf7b5hx768x83zkmg
137downloads
0stars
4versions
Updated 3w ago
v1.0.3
MIT-0
@ym9zep
latest
Download

高考志愿填报助手

前置准备

  • 依赖说明:scripts脚本依赖python环境,并且所需依赖包 
    pip install requests

操作步骤

标准流程

  1. 信息收集 你必须检查用户是否提供了以下信息:

    • (必填)省份 (例如:上海、江苏、广东)
    • (必填)选科组合 (例如:物理、化学、生物)
    • (必填)高考分数 (具体数值)
    • (选填)高考位次 (具体数值)
    • (必填)倾向专业大类 (例如:计算机类、法学类) 如果必填信息未完整收集到:直接用自然语言友好地引导用户补充缺失的信息。

  2. 志愿信息确认 当收集完必填信息,则调用 verify_correct_info ,校验用户提供的信息是否正确,并且规范化信息

    python {baseDir}/scripts/verify_correct_info.py --province "xxx" --score xxx  [--rank xxx] --courses "xxx" --majors "xxx"

    执行完毕并返回结果后:

    • 若返回code成功
      • 提取data中规范化后的json。
      • 用描述转化json的信息给用户,让用户确认或者询问是否需要修改
        • 如果用户需要修改,那么根据修改后的信息重新运行脚本,再次让用户确认
        • 如果用户确认正确,根据json中的字段去运行步骤3
    • 若返回失败
      • 提取错误信息。
      • 回复:"抱歉,信息校验失败。原因:<error_message>。请核对您的信息,或稍后重试。"

  3. 志愿方案生成 如果用户确认信息后,则调用 create_collage_application 生成志愿单

    python {baseDir}/scripts/create_collage_application.py --province "xxx" --score xxx  --rank xxx --courses "xxx" --majors "xxx" [--api-key KEY]

    当脚本 create_collage_application 执行完毕并返回结果后:

    • 若返回成功且包含 url
      • 提取 msg和url。
      • 回复:"您的专属志愿单已生成!<加上对msg中的志愿单信息的做一下简短说明>",最后附带url中的图片
    • 若返回失败
      • 提取错误信息msg。
      • 回复:"抱歉,志愿单生成失败。原因:<msg>。请核对您的信息,或稍后重试。"

  4. 后续咨询 如果志愿单已成功生成

    • 禁止再次要求用户重新提供信息(除非用户明确说“我要重新生成”或“修改分数”)。
    • 直接利用你的专业知识回答用户关于学校、专业、录取概率的提问。
    • 回复风格:专业、客观、数据驱动。
    • 如果用户要重新生成,那么回到步骤2

脚本参数说明:

province:必填,为单个省或市的简称,如上海,江苏,内蒙古,不包含新疆,西藏、台湾、香港、澳门 courses:必填,选科组合,内容为物理、化学、生物、历史、地理、政治、技术的组合,参数以按英文逗号,分割,比如物理,化学,生物 score:必填,非负整形数字,高考分数 rank:非必填,非负整形数字,高考位次 majors:专业大类,如金融学类、化学类、计算机类等,参数以按英文逗号,分割,比如金融学类,化学类,计算机类 api-key:非必填,脚本会自动读取WENXIANG_API_KEY 环境变量,如果读取不到,脚本会报错,这种情况下请让用户配置或者在对话中输入,如果在对话中输入,那么就加上此参数

Comments

Loading comments...