Kuaishou Genius Actual

v1.0.0

Use this skill whenever the user asks to analyze, verify, debug, reverse-engineer, or automate Kuaishou Genius「预算/预测/实际」页面 data flow (especially management-y...

⭐ 0· 182·0 current·0 all-time

by@zhangpei03

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for zhangpei03/kuaishou-genius-actual.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Kuaishou Genius Actual" (zhangpei03/kuaishou-genius-actual) from ClawHub.
Skill page: https://clawhub.ai/zhangpei03/kuaishou-genius-actual
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install kuaishou-genius-actual

ClawHub CLI

Package manager switcher

npx clawhub@latest install kuaishou-genius-actual

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The skill name, description, SKILL.md, and included scripts all focus on mapping and probing the Kuaishou Genius 'management-yearly/actual' API flow; the requested actions (GET/POST probing, reconstructing payloads) are coherent with that purpose. There is no evidence the skill is trying to perform unrelated cloud or system administration tasks.

ℹ

Instruction Scope

Runtime instructions explicitly tell the agent/operator to capture browser network traffic and to run the provided scripts with a valid session cookie. The instructions do not request reading unrelated files or exfiltrating data to third-party endpoints; they will, however, cause the agent/operator to expose potentially sensitive response bodies and session cookies to their local terminal. The SKILL.md expects the user/agent to supply a valid accessproxy_session cookie which is sensitive.

✓

Install Mechanism

No install spec is provided (instruction-only with bundled scripts), so nothing is downloaded or installed automatically. The included shell and Python scripts are plain text and run locally — lower installation risk compared with remote installers.

Credentials

The package metadata declares no required environment variables or binaries, but the SKILL.md and scripts require: (1) a valid session cookie (accessproxy_session) to authenticate to genius.corp.kuaishou.com, and (2) local tools: bash, curl, python3. Requiring a session cookie is proportionate to the stated purpose, but the manifest omission (no declared primary credential or required env) is an incoherence and a security UX risk: users/agents may be prompted to paste sensitive cookies without the registry documenting that requirement. The python client also supports an --insecure flag (disables TLS verification), which is potentially dangerous if misused.

✓

Persistence & Privilege

The skill is not always-enabled, does not request autonomous privilege escalation, and does not modify other skills or system-wide agent settings. It runs on demand and does not claim persistent presence.

What to consider before installing

This skill appears to do what it says (probe internal Genius API endpoints) but has some important practical and security omissions to be aware of: - The skill requires a valid session cookie (accessproxy_session) but the package metadata does not declare this; expect to provide a sensitive cookie string on the command line. Only do this in a trusted environment and avoid reusing long-lived or highly-privileged browser session cookies. - The repository metadata also omits required binaries; the scripts assume bash, curl, and python3 are available. Verify those tools and run the code locally rather than giving your cookie to a remote system. - The python client supports --insecure which disables TLS verification. Do not use --insecure unless you understand the network risk (it can enable man-in-the-middle attacks). - The scripts print API responses (which may contain sensitive org or ledger data) to stdout. Treat output as potentially sensitive and avoid sharing it. Before installing or running: 1. Inspect the scripts yourself (you have them) and run them in an isolated environment. 2. Prefer a low-privilege/test account or ephemeral session cookie if possible. 3. Do not paste session cookies into third-party UIs; run locally. 4. If you need metadata in the skill registry, ask the publisher to declare the cookie requirement and required binaries explicitly. Given the above mismatches (sensitive cookie handling and undeclared binaries), proceed cautiously; the behavior is consistent with its stated purpose but the missing declarations and the need for sensitive credentials are why this is flagged as suspicious.

Like a lobster shell, security has layers — review code before you run it.

apivk9725c8dhs8nb6msh625vmh93s836da2exportvk9725c8dhs8nb6msh625vmh93s836da2geniusvk9725c8dhs8nb6msh625vmh93s836da2kuaishouvk9725c8dhs8nb6msh625vmh93s836da2latestvk9725c8dhs8nb6msh625vmh93s836da2

182downloads

0stars

1versions

Updated 10h ago

v1.0.0

MIT-0

Kuaishou Genius Actual API Skill

Overview

This skill helps an agent quickly move from Genius 页面操作 to 可复用的接口调用地图与脚本化验证 for the management-yearly/actual workflow.

Use it when the goal is to identify core backend endpoints, validate request dependencies, and build repeatable checks for Genius Actual data retrieval.

Quick Start

Ensure login/session is valid for genius.corp.kuaishou.com.
Capture network around page reload and key filter actions.
Focus on /budget-portal/api/* requests; ignore static assets and telemetry unless debugging auth/risk.
Run script-based endpoint probe/client:

cd scripts
bash genius_api_probe.sh \
  --base-url "https://genius.corp.kuaishou.com" \
  --cookie "accessproxy_session=<YOUR_COOKIE>" \
  --year 2026

python3 genius_client.py \
  --cookie "accessproxy_session=<YOUR_COOKIE>" \
  workflow --year 2026

Output a concise report with:
- reachable endpoints
- required params/payload hints
- dependency order
- known blockers/limitations

Supported Capabilities

Core API extraction
- Identify actual business endpoints used by management-yearly/actual.
API map generation
- Build endpoint catalog: method, path, purpose, required params/body.
Workflow reconstruction
- Reconstruct request order from page load to ledger detail fetch.
Scripted probing
- Use scripts/genius_api_probe.sh to quickly verify endpoint reachability and baseline responses.
Troubleshooting focus
- Distinguish business API failures from:
  - SSO/session expiration
  - fingerprint/risk controls
  - telemetry noise

API Map (Core Business)

Base domain:

https://genius.corp.kuaishou.com

Core endpoints observed in Actual flow:

GET /budget-portal/api/authority/user
- Purpose: fetch user auth context.
GET /budget-portal/api/authority/org/tree
- Purpose: org tree for selectors/permissions scope.
GET /budget-portal/api/horse-race-lamp/query?tabCode=management-yearly%2Factual
- Purpose: tab-level notification/meta.
GET /budget-portal/api/description/act-latest-update-date
- Purpose: latest actual update metadata.
GET /budget-portal/api/annual-actual/versions?year=<YEAR>
- Purpose: available versions for selected year.
POST /budget-portal/api/actual-ledger/detail
- Purpose: ledger detail dataset.
- Notes: requires JSON body shaped by current filters.
POST /budget-portal/api/actual-ledger/products
- Purpose: product/metric dimension data for current view.
- Notes: requires JSON body shaped by current filters.

Non-core but commonly seen (usually ignore unless diagnosing):

log-sdk.ksapisrv.com/* telemetry
mobile-device-info.corp.kuaishou.com/* device/risk
h5-fingerprint.corp.kuaishou.com/* fingerprint

Workflow

1) Session check

Confirm not redirected to SSO login.
Verify accessproxy_session works for genius.corp.kuaishou.com.

2) Capture

Reload target page:
- https://genius.corp.kuaishou.com/management-yearly/actual
Capture all XHR/fetch.

3) Filter to business APIs

Keep only /budget-portal/api/ requests.
Group by: authority → metadata → versions → ledger POSTs.

4) Rebuild minimal call chain

Start with GET chain (auth/org/version).
Then reproduce POST ledger calls with realistic payload.

5) Validate by script

Run genius_api_probe.sh with cookie + year.
Record HTTP code + brief body snippet.

6) Report

Always output:

API list (method/path/purpose)
call order
required parameters/body fields (known/unknown)
current blockers and next action

Script Usage

Script paths:

scripts/genius_api_probe.sh
scripts/genius_client.py

What they do:

genius_api_probe.sh: probes key GET APIs and sends placeholder POSTs for quick triage
genius_client.py: structured client for core APIs (single endpoint or full workflow), supports custom JSON payload files

Required inputs:

--base-url (default https://genius.corp.kuaishou.com)
--cookie (must include valid accessproxy_session=...)

Optional:

--year (default 2026)

Known Limitations

SSO/session coupling
- Without valid session cookie, requests fall back to SSO and API probing is invalid.
Risk/fingerprint controls
- Some environments may require device/fingerprint side requests; replay outside browser may fail.
POST body incompleteness
- actual-ledger/detail and actual-ledger/products need accurate business payload fields from live capture.
Environment drift
- static bundle versions and backend schema may change; always re-capture when results diverge.
Permission scope
- org tree and ledger visibility depend on account permissions; data differences are expected across users.

Comments

Loading comments...