ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

PKU Info Common

v1.0.0

Shared library crate (info-common) providing IAAA authentication, OTP, session persistence, credential resolution, and QR rendering for PKU CLI tools. Use th...

0· 115·0 current·0 all-time
by@wjsoj

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for wjsoj/pku-info-common.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "PKU Info Common" (wjsoj/pku-info-common) from ClawHub.
Skill page: https://clawhub.ai/wjsoj/pku-info-common
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install pku-info-common

ClawHub CLI

Package manager switcher

npx clawhub@latest install pku-info-common
Security Scan
Capability signals
CryptoRequires walletCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description (shared auth/session/OTP/QR helper for PKU CLI tools) match the SKILL.md content: it documents iaaa, otp, session, credential resolution, and qr modules and how consumers should integrate. The capabilities described are coherent for a shared auth crate.
!
Instruction Scope
The runtime instructions tell agents to use keyring-backed credential resolution, read/write session files under ~/.config/info/<name>/ (session.json, cookies.json), and to set environment variables (PKU_SMS_CODE) for SMS flow. The skill also tells agents to run consumer CLI commands (info-auth check, <tool> login -p). These instructions go beyond mere documentation — they describe accessing local secrets and on-disk session state, but the skill metadata does not declare those accesses.
Install Mechanism
No install spec or code is included; the skill is instruction-only, so there is no installer that would write or execute code on disk. This is lower installation risk but also means you cannot inspect code until a code release/source is provided.
!
Credentials
The SKILL.md references environment variables PKU_USERNAME, PKU_PASSWORD, PKU_SMS_CODE and describes using OS keyring backends and session files, but the skill metadata lists no required env vars, no primary credential, and no required config paths. That mismatch is important: the instructions expect access to secrets (env vars, keyring, session files) but the declared requirements do not disclose or justify that access. Requiring or instructing use of SMS codes and keyring is plausible for an auth helper, but it should be declared explicitly and the source reviewed before granting access.
Persistence & Privilege
The skill is not always-enabled and does not request persistent elevated platform privileges. It does instruct use of local session storage and keyring, but it does not itself request to persist in agent configuration or modify other skills. No 'always: true' or other high-privilege flags are present.
What to consider before installing
This SKILL.md appears to document a legitimate PKU auth helper, but it references sensitive resources (OS keyring, ~/.config/info/<tool>/session.json and cookies.json, and env vars like PKU_PASSWORD / PKU_SMS_CODE) while the skill metadata declares none of those requirements and provides no source or homepage. Before installing: 1) ask the publisher for the source repository or a copy of the crate code so you can verify it does not exfiltrate secrets; 2) confirm whether your agent/runtime will allow the skill to access the OS keyring and ~/.config paths — if so, consider restricting or auditing those accesses; 3) do not set PKU_PASSWORD or PKU_SMS_CODE environment variables in a global context until you trust the code; 4) prefer an explicitly-declared, signed release (or a vendor with a homepage) over an anonymous instruction-only skill. If the maintainer provides the crate source and explicit required-env/config declarations that match the SKILL.md, my confidence in a benign assessment would increase.

Like a lobster shell, security has layers — review code before you run it.

authvk97bcprtfej83j2sr7s5tebnv184g0p3iaaavk97bcprtfej83j2sr7s5tebnv184g0p3latestvk97bcprtfej83j2sr7s5tebnv184g0p3pkuvk97bcprtfej83j2sr7s5tebnv184g0p3rustvk97bcprtfej83j2sr7s5tebnv184g0p3
115downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
@wjsoj
authiaaalatestpkurust
Download

Info-Common - 共享认证库

The shared library crate providing authentication, session management, and utilities for all IAAA-based CLI tools.

Architecture

  • Crate location: crates/info-common/
  • Used by: treehole, course, campuscard, elective, info-auth (NOT info-spider)
  • Config root: ~/.config/info/<name>/ for each consumer crate

Key Modules

iaaa.rs — IAAA Unified Authentication

  • PKU's Single Sign-On system supporting both password and QR code login
  • Each consumer provides its own IaaaConfig with app_id and redirect_url:
    • treehole: app_id="PKU Helper", redirect to /chapi/cas_iaaa_login
    • course: app_id="blackboard", redirect to Blackboard SSO
    • campuscard: app_id="portal2017", redirect to portal → berserker-auth
    • elective: app_id="elective", redirect to elective SSO
  • Returns a token that the consumer exchanges with its target service

otp.rs — TOTP Code Generation

  • Implements RFC 6238 (Time-based One-Time Password)
  • Used for IAAA 手机令牌 (mobile token) 2FA
  • Supports bind/set/show/clear operations across all CLI tools

session.rs — Session & Cookie Persistence

  • Store::new(APP_NAME) creates storage at ~/.config/info/<name>/
  • session.json — token, expires_at, uid, created_at, extra (serde_json::Value)
  • cookies.json — reqwest CookieStore serialized as JSON
  • Handles load/save with proper error context

credential.rs — Unified Credential Resolution

  • Resolves user credentials in priority order: OS keyring → env vars → interactive input
  • Keyring: Uses keyring crate with platform-specific backends:
    • Linux: D-Bus Secret Service (GNOME Keyring / KDE Wallet)
    • macOS: Apple Keychain
    • Windows: Windows Credential Manager
  • Environment variables: PKU_USERNAME, PKU_PASSWORD, PKU_SMS_CODE
  • SMS code resolution: resolve_sms_code() — env var PKU_SMS_CODE → interactive
  • SMS auto-confirm: confirm_send_sms() — auto-confirms when PKU_SMS_CODE is set
  • Keyring management: keyring_store(), keyring_clear(), keyring_has_credential()
  • Session check: check_session(app_name) — returns Valid / Expired / NotFound
  • Passwords never written to disk — keyring is OS-encrypted, env vars are in-memory only

qr.rs — Terminal QR Code Display

  • Renders QR codes in terminal via viuer crate
  • Falls back to system image viewer if terminal rendering fails
  • Used for both IAAA QR login and campuscard payment codes

Credential Resolution for AI Agents

All IAAA-based CLI tools use credential::resolve_credential() for login. The resolution order:

  1. OS Keyring (info-pku service) — set by info-auth store
  2. Environment variables (PKU_USERNAME + PKU_PASSWORD)
  3. Interactive prompt (stdin fallback)

AI Agents should:

  • Use info-auth check to verify session status before operations
  • Call <tool> login -p to trigger auto-login from keyring
  • Set PKU_SMS_CODE env var if SMS verification is needed
  • NEVER pass passwords as CLI arguments

Adding a New CLI Tool

To add a new IAAA-based CLI tool:

  1. Create a new crate under crates/
  2. Depend on info-common in Cargo.toml
  3. Define IaaaConfig with the service's app_id and redirect_url
  4. Use credential::resolve_credential() instead of manual stdin input
  5. Implement complete_*_login() to exchange the IAAA token with the target service
  6. Set session.expires_at when saving sessions
  7. Use Store::new("tool-name") for session persistence
  8. Follow the client.rs pattern: build() for auth requests, build_simple() for IAAA login

Development Conventions

  • All user-facing strings in Chinese
  • Error handling: anyhow::Result with .context("中文描述")
  • HTTP clients use realistic User-Agent headers
  • Zero warnings policy: remove unused code, never use #[allow(dead_code)]

Comments

Loading comments...