ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Zhipu Tools Coding Plan

v1.2.1

智谱 AI 原生工具 - 网络搜索、网页读取、仓库文档搜索和文件解析。基于 Z.AI Coding Plan MCP 端点,全部免费使用。

0· 189·1 current·1 all-time
by@wnzzer

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for wnzzer/zhipu-tools-coding-plan.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Zhipu Tools Coding Plan" (wnzzer/zhipu-tools-coding-plan) from ClawHub.
Skill page: https://clawhub.ai/wnzzer/zhipu-tools-coding-plan
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install zhipu-tools-coding-plan

ClawHub CLI

Package manager switcher

npx clawhub@latest install zhipu-tools-coding-plan
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's functionality (web search, web reader, GitHub repo search, file parsing) is consistent with the included scripts and Python tool. However, the registry metadata and listed requirements claim 'no required env vars' while SKILL.md and all scripts require a ZHIPU_API_KEY (and optionally ZHIPU_USE_MCP). That mismatch is an incoherence that should be corrected by the author.
Instruction Scope
The runtime instructions and scripts only perform network requests to the declared MCP endpoint (api.z.ai) and the legacy bigmodel endpoint (open.bigmodel.cn). They do not attempt to read unrelated local config or secrets, but the file_parser script uploads arbitrary files to the legacy endpoint (open.bigmodel.cn/files/parser/sync). Uploading local documents to an external service is expected for file parsing but is sensitive — users should not feed private/confidential files unless they accept that external transmission.
Install Mechanism
This is an instruction-only skill (no install spec). The package contains scripts and a Python file; there is no remote download/install action in the skill manifest. Installation is via cloning or a package manager outside the skill (README suggests git clone or clawhub). No extract-from-URL or remote binary installs are present in the skill files.
!
Credentials
The code requires a single sensitive secret: ZHIPU_API_KEY (and optionally ZHIPU_USE_MCP) which is proportional to the stated capabilities. However, the declared registry requirements omit that environment variable entirely (metadata lists none). That omission is misleading and increases risk because automated permission/visibility checks may not flag the need for a credential. Also, file parsing will send file contents to the legacy endpoint, so the API key grants the skill the ability to make network calls that could expose data.
Persistence & Privilege
The skill does not request always:true and uses normal autonomous invocation defaults. It does not modify other skills or system-wide settings in the provided code. No unusual persistence or elevated privileges are requested.
What to consider before installing
This skill implements the features it advertises, but be aware of two things before installing: (1) you must provide a ZHIPU_API_KEY (the package metadata incorrectly says no env vars required) — treat that key as sensitive and do not commit it to version control; (2) the file_parser uploads any file you give it to an external legacy endpoint (open.bigmodel.cn), so do not parse confidential documents unless you accept that external transmission. If you need to proceed, prefer creating a dedicated API key with minimal permissions, verify the endpoints (api.z.ai and open.bigmodel.cn) are what you expect, and ask the publisher to fix the skill metadata to declare ZHIPU_API_KEY so the requirement is visible in automated audits.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ftpxs0fqfmwhd6jnysjmvc985dexa
189downloads
0stars
3versions
Updated 5d ago
v1.2.1
MIT-0
@wnzzer
latest
Download

智谱工具 Coding Plan (Zhipu Tools)

基于 Z.AI Coding Plan MCP 端点 的免费工具集:网络搜索、网页读取、GitHub 仓库文档搜索和文件解析。

功能

功能MCP 工具端点说明
网络搜索web_search_prime/web_search_prime/mcp实时互联网搜索,支持过滤
网页读取webReader/web_reader/mcp抓取网页标题、正文、元数据
仓库文档搜索search_doc/zread/mcp搜索 GitHub 仓库文档
仓库目录结构get_repo_structure/zread/mcp查看 GitHub 仓库目录树
仓库文件读取read_file/zread/mcp读取 GitHub 仓库指定文件
文件解析Legacy API解析 PDF/Word/Excel/PPT 等

前五项通过 Coding Plan MCP 端点免费调用,文件解析仅支持旧版 API。

配置

openclaw.json 中配置 API Key:

{
  "skills": {
    "entries": {
      "zhipu-tools": {
        "apiKey": "YOUR_ZHIPU_API_KEY"
      }
    }
  }
}

或设置环境变量:ZHIPU_API_KEY

MCP vs Legacy 模式

模式端点额度切换方式
MCP (默认)api.z.ai/api/mcp/...Z.AI Coding Plan 免费默认启用
Legacyopen.bigmodel.cn/api/paas/v4/...账户余额ZHIPU_USE_MCP=false

MCP 模式自动 fallback:MCP 失败时会自动尝试 Legacy API。

使用方式

网络搜索 (web_search_prime)

cd ~/.openclaw/workspace/skills/zhipu-tools

# Shell
./scripts/web_search.sh "搜索关键词" [count]

# Python(支持更多参数)
python3 scripts/zhipu_tool.py web_search "搜索关键词" \
  --count 10 --recency week --domain example.com

网页读取 (webReader)

# Shell
./scripts/web_reader.sh "https://www.example.com"

# Python
python3 scripts/zhipu_tool.py web_reader "https://www.example.com"

GitHub 仓库文档搜索 (Zread)

# Shell - 搜索仓库文档
./scripts/zread.sh search "openai/openai" "how to use"

# Shell - 查看目录结构
./scripts/zread.sh structure "openai/openai"
./scripts/zread.sh structure "openai/openai" "src/"

# Shell - 读取文件
./scripts/zread.sh read "openai/openai" "README.md"

# Python
python3 scripts/zhipu_tool.py zread search "openai/openai" "how to use"
python3 scripts/zhipu_tool.py zread structure "openai/openai" --path src/
python3 scripts/zhipu_tool.py zread read "openai/openai" "README.md"

文件解析 (Legacy only)

./scripts/file_parser.sh /path/to/document.pdf PDF
python3 scripts/zhipu_tool.py file_parser /path/to/document.docx --file-type DOCX

MCP 工具参数详情

web_search_prime

参数类型必填说明
search_querystring搜索内容,建议不超过 70 字符
search_recency_filterstringoneDay, oneWeek, oneMonth, oneYear, noLimit
content_sizestringmedium (默认), high
locationstringcn, us
search_domain_filterstring限制搜索域名

webReader

参数类型必填说明
urlstring目标网页 URL

返回:标题、正文内容、元数据、链接列表。

search_doc

参数类型必填说明
repostringGitHub 仓库,如 "openai/openai"
querystring搜索关键词

get_repo_structure

参数类型必填说明
repostringGitHub 仓库
pathstring子目录路径

read_file

参数类型必填说明
repostringGitHub 仓库
pathstring文件路径,如 "README.md"

MCP 协议

所有远程 MCP 端点通过 streamableHttp 协议交互:

  1. POST initialize → 响应 header 返回 mcp-session-id
  2. POST notifications/initialized → 通知就绪
  3. POST tools/call → 调用具体工具

Headers: Authorization: Bearer $API_KEY, Content-Type: application/json, Accept: text/event-stream, application/json

Coding Plan 套餐额度

套餐搜索/网页读取/仓库搜索 次数/月价格
Lite100 次免费
Pro1,000 次免费
Max4,000 次免费

额度次月自动重置。

注意事项

  • API Key 敏感信息,不要提交到 Git
  • Zread(仓库文档搜索)仅支持 MCP 模式
  • 文件解析仅支持旧版 API(bigmodel 端点)
  • 所有 MCP 工具通过 Coding Plan 免费额度调用

Comments

Loading comments...