ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Study Buddy - 牛宝华版

v1.0.0

AI助手帮助备考日语N2和软考架构师,支持智能出题、自动判分、错题记录和个性化学习计划。

0· 113·0 current·0 all-time
by@it-worker-club

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for it-worker-club/study-buddy-niu.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Study Buddy - 牛宝华版" (it-worker-club/study-buddy-niu) from ClawHub.
Skill page: https://clawhub.ai/it-worker-club/study-buddy-niu
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install study-buddy-niu

ClawHub CLI

Package manager switcher

npx clawhub@latest install study-buddy-niu
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Stated purpose (N2 +软考 quiz, scoring, wrong‑answer book) legitimately requires a backend data store like Feishu Bitable; however the package hardcodes a BITABLE_APP_TOKEN and BITABLE_TABLE_ID in both SKILL.md and src/index.js rather than declaring them as required credentials or asking the operator to provide them. Hardcoding the token is unnecessary for the feature and gives the token owner access to data created/read by the skill.
!
Instruction Scope
Runtime instructions and code keep scope to quiz/plan/progress functionality and only call Feishu Bitable APIs (via global.feishu_bitable_*). That is expected. However SKILL.md and code instruct the skill to record wrong answers and progress into Bitable; because a concrete app token is embedded, user answers and user IDs will be sent to the third‑party Bitable under that token. The SKILL.md suggests setting env vars but the code already uses hardcoded values — an inconsistency and potential misconfiguration/vector for data being stored under the author's account.
Install Mechanism
No external install script or suspicious downloads — this is code bundled with the skill and uses OpenClaw's runtime/global tools. No remote archives or arbitrary binary installs were found.
!
Credentials
The only external credential needed for the feature is a Bitable app token, which is proportionate. But instead of requiring the operator to supply their own token, the skill includes a hardcoded token and table ID in SKILL.md and code. That gives the token owner access to read/write the skill's data (questions, answers, user identifiers) and means user data may flow to an external account the operator does not control.
Persistence & Privilege
The skill does not request always:true or other elevated platform privileges; it uses in‑memory session caches and calls remote Bitable APIs. The notable persistence/privilege concern is external: data written to the remote Bitable will persist under whoever controls the embedded token. The skill does not modify other skills or global agent settings.
What to consider before installing
This skill appears to implement the advertised quiz and tracking features, but it embeds a Feishu/Bitable app token and table ID in its documentation and code. That means answers, wrong‑question records, and possibly user identifiers will be read/written to a remote Bitable owned by whoever controls that token — not necessarily you. Before installing or using: - Treat the included BITABLE_APP_TOKEN as sensitive: verify who owns it. If you don't control it, assume your users' data will be sent to that third party. - Prefer replacing the hardcoded token/table ID with your own Bitable app token (or configure the skill to require operator-supplied credentials) so data is stored under your account. - Inspect or run the code in a safe/test environment first; confirm which fields/IDs the skill sends. - If you cannot supply your own token, consider not installing or restrict the skill to non‑sensitive test accounts. If you want, I can point to exactly where in the files to change the CONFIG to use your token and how to verify what data will be written to the Bitable table.

Like a lobster shell, security has layers — review code before you run it.

latestvk97173t36e0keh63kjzz58dvxd83sqsk
113downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@it-worker-club
latest
Download

Study Buddy - 双轨学习助手

技能描述

一个帮助用户同时备考日语 N2 和软考架构师的 AI 学习助手。支持智能出题、自动判分、错题记录和学习计划生成。

触发条件

当用户消息包含以下任意关键词时激活本技能:

出题相关

  • "来一道" / "来一题"
  • "练习题" / "做题" / "刷题"
  • "模拟考" / "模拟考试" / "测试"
  • "N2" / "N1" / "日语" / "日文"
  • "软考" / "架构师" / "系统架构设计师"
  • "语法题" / "词汇题" / "选择题"

学习计划

  • "学习计划" / "今日计划" / "今天学什么"
  • "复习计划" / "备考计划"
  • "距离考试" / "还有几天考试"

错题本

  • "错题" / "错题本" / "我错的题"
  • "查看错题" / "我的错题"

进度统计

  • "进度" / "学习进度" / "我的进度"
  • "统计" / "学习统计" / "正确率"

帮助

  • "帮助" / "怎么用" / "你能做什么"
  • "功能" / "介绍"

功能列表

  1. 智能出题: 根据用户指令随机抽取题目(支持按类型/难度筛选)
  2. 自动判分: 用户回答后自动判断对错,显示解析
  3. 错题记录: 答错的题自动存入飞书 Bitable 错题本
  4. 学习计划: 根据考试日期生成每日学习任务
  5. 进度追踪: 统计答题数量、正确率、学习时长
  6. 帮助菜单: 展示可用功能和使用方法

依赖配置

使用前需要配置以下环境变量或在代码中设置:

const CONFIG = {
  BITABLE_APP_TOKEN: "SoZ5bkTBOa3LQisZHO1cAQuknDh",
  BITABLE_TABLE_ID: "tbl0TEk3P0GCqR2p"
};

使用示例

用户: 来一道 N2 语法题
助手: 📚 【N2 语法练习】第 38 题...(展示题目和选项)

用户: B
助手: ✅ 回答正确!解析:...

用户: 生成今日学习计划
助手: 📅 今日学习计划(2026-03-27)...

用户: 查看我的错题
助手: 📝 错题本统计...

版本: v1.0.0
作者: 牛宝华
比赛: OPC 极限挑战赛(上海站)

Comments

Loading comments...