ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

PKU Portal

v1.0.0

北京大学校内信息门户 (portal.pku.edu.cn / its.pku.edu.cn) CLI 工具。当用户提及 portal、校内信息门户、空闲教室、空教室、教室查询、一教/二教/三教/四教/理教空闲、校历、学年校历、上课时间、网费、网费余额、网费充值、上网账号、查余额、微信充值网费、支付宝充值网费 时...

0· 58·0 current·0 all-time
by@wjsoj

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for wjsoj/pku-portal.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "PKU Portal" (wjsoj/pku-portal) from ClawHub.
Skill page: https://clawhub.ai/wjsoj/pku-portal
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install pku-portal

ClawHub CLI

Package manager switcher

npx clawhub@latest install pku-portal
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the runtime instructions: querying free classrooms, extracting the campus calendar, and checking/recharging netfee via ITS/payment endpoints are coherent with the CLI architecture described. However, the doc explicitly requires user login (ITS net account) and reuse of a credential helper, yet the skill metadata declares no required credentials or env vars — that is a notable omission.
!
Instruction Scope
Instructions direct network calls to portal.pku.edu.cn, its.pku.edu.cn, simso.pku.edu.cn, and cwsf.pku.edu.cn (payment flow). They describe session persistence at ~/.config/info/portal/ and an auto‑login flow for AI agents. They also reference using third‑party captcha services (utool, ttshitu, yunma) and rendering/printing QR codes for payment. Those behaviours go beyond simple read‑only queries and include handling of credentials, payment initiation steps, and use of external captcha services — none of which are declared in the skill metadata.
Install Mechanism
Instruction-only skill with no install spec and no code files in the bundle; nothing is written to disk by an install step. This is the lowest install risk given the provided package.
!
Credentials
The SKILL.md requires access to ITS net account credentials (and references reuse of pkuinfo_common::credential and keyring). It also references third‑party captcha services which typically need API keys. Despite that, the registry metadata lists no required env vars or primary credential. That mismatch (undeclared sensitive credentials and API keys) is disproportionate and reduces transparency about what secrets an agent will need or access.
Persistence & Privilege
The skill will persist sessions under ~/.config/info/portal/, which is within a normal per‑user config scope. always:false is set. Still, because the skill can be invoked autonomously and it can perform payment-related flows and QR code generation, autonomous invocation combined with undeclared credential access increases the blast radius — consider restricting autonomous use until credential/behavior details are confirmed.
What to consider before installing
This SKILL.md appears to implement a real PKU portal CLI, but it does not transparently declare the sensitive credentials and API keys it will use. Before installing or enabling the skill: 1) Confirm where and how ITS (net) credentials are stored/loaded (keyring? plaintext?). 2) Ask the author to declare required env vars or keyring usage (including any third‑party captcha service API keys) in the metadata. 3) Review actual code (crates/portal/*) before granting access to real credentials — pay special attention to payment flow (cwsf.pku.edu.cn), QR rendering, and any network calls that could trigger charges or leak data. 4) Prefer manual invocation (do not allow always:true or unrestricted autonomous invocation) until you verify credential handling. 5) If you must try it, use a throwaway/test account or revokeable credentials, and disable any automation that can perform recharges/payments without explicit confirmation.

Like a lobster shell, security has layers — review code before you run it.

calendarvk97dd41h5fq6wm03y99ba2frdh84wq8qclassroomvk97dd41h5fq6wm03y99ba2frdh84wq8qclivk97dd41h5fq6wm03y99ba2frdh84wq8qlatestvk97dd41h5fq6wm03y99ba2frdh84wq8qnetfeevk97dd41h5fq6wm03y99ba2frdh84wq8qpkuvk97dd41h5fq6wm03y99ba2frdh84wq8qportalvk97dd41h5fq6wm03y99ba2frdh84wq8qrustvk97dd41h5fq6wm03y99ba2frdh84wq8qwechatvk97dd41h5fq6wm03y99ba2frdh84wq8q
58downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
@wjsoj
calendarclassroomclilatestnetfeepkuportalrustwechat
Download

portal - 北大校内信息门户 CLI

A CLI client for PKU's campus info portal — 空闲教室、校历、网费 in one command.

Architecture

  • Crate location: crates/portal/
  • Auth flow:
    • 空闲教室 / 校历:无需登录
    • 网费:its.pku.edu.cn 自己的上网账号密码(不是 IAAA SSO),复用 pkuinfo_common::credential(多数学生上网密码与 IAAA 相同)
  • API:
    • 空闲教室:GET /publicQuery/classroomQuery/retrClassRoomFree.do?buildingName=<中文>&time=<中文>,返回 {success, rows:[{room, cap, c1..c12}]}
    • 校历:simso.pku.edu.cn 是 Vue SPA,数据硬编码在 js/ccSchoolCalendar.<hash>.js bundle 里;先抓 HTML 取 bundle 文件名,再正则抽 t._v("...") 文本
    • 网费状态:POST /cas/webLogin/netportal/itsUtil?operation=info(HTML 表含余额)→ POST /cas/ITSweb cmd=selectGET /myConn.jsp(在线 IP 会话)
    • 网费充值:3 步 pkuConfirmpkuSendOrder → cwsf.pku.edu.cn 收银台 AJAX /PayPreService/pay/cashier/gotToPay 返回 {data:{urlCode}}
  • 验证码:复用 pkuinfo_common::captcha(manual / utool 免费 / ttshitu / yunma)

Key Source Files

  • src/main.rs — tokio::main 调用 pku_portal::run()
  • src/lib.rs — Clap CLI + dispatch
  • src/client.rs — reqwest client (simple 和 with cookies 两档)
  • src/freeclassroom.rs — 空闲教室 API + 渲染
  • src/calendar.rs — simso Vue bundle 解析
  • src/netfee.rs — ITS 登录 / 余额 / 会话 / 3 步充值 / 付款码 QR 渲染

CLI Commands

Command用途
free-classroom <building> [-d today|tomorrow|day-after] / fc查询空闲教室。building: 一教/二教/三教/四教/理教/文史/哲学/地学/国关/政管
calendar [-y 2025-2026] / cal显示校历(best-effort 从 simso JS bundle 抽取)
netfee status余额 + 在线会话
netfee recharge <amount> [-m wechat|alipay] [--captcha utool]充值,终端打印微信/支付宝付款二维码
netfee watch --threshold 10低余额监测,余额 < 阈值返回退出码 2

Auto-Login for AI Agents

info-auth check
portal free-classroom 一教            # 无需登录
portal calendar --year 2025-2026      # 无需登录
portal netfee status                  # 需要 keyring 凭据
portal netfee recharge 10 -m wechat   # 微信扫码付款,二维码直接打终端
portal netfee watch -t 5 || notify "PKU netfee low"

Development Notes

  • 所有文案中文;错误 anyhow::Result + .context("...")
  • its 的 /paybank/user.PayBankOrderPKU 响应页内嵌的 alert("验证码不能为空!") 是 JS 函数体里的 literal,不是真正的错误。只匹配独立 <script>alert("...");history.back();</script> 才是真错误
  • step1 paytype="" 即可;真正的 payType=02(微信)/01(支付宝)是 step3 收银台 AJAX 的字段
  • step2 响应会被重定向到 cwsf.pku.edu.cn 域,step3 要用那个域的 origin 而不是 its.pku.edu.cn
  • 微信付款二维码用 qrcode crate 的 Dense1x2 在终端渲染;兜底打印原始 urlCode 字符串
  • Session 持久化 ~/.config/info/portal/
  • 校历是 best-effort:simso 改版 JS 编译方式就会解析失败,错误信息里会提示用户

Comments

Loading comments...