ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Zsxq Group

v0.1.0

知识星球(星球)管理:列出星球、浏览主题、查询标签、搜索成员。当用户需要查看自己加入或创建的星球、浏览星球内容、获取 group_id、查询星球标签或成员时使用。

0· 148·0 current·0 all-time
by@zhuguojie-unnoo

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for zhuguojie-unnoo/zsxq-group.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Zsxq Group" (zhuguojie-unnoo/zsxq-group) from ClawHub.
Skill page: https://clawhub.ai/zhuguojie-unnoo/zsxq-group
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install zsxq-group

ClawHub CLI

Package manager switcher

npx clawhub@latest install zsxq-group
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The documented purpose (list groups, browse topics, query hashtags/members) is coherent with the instructions that call a zsxq-cli and its api call surface. However, the top-level registry metadata claimed no required binaries/env vars while the SKILL.md explicitly lists requires.bins: ["zsxq-cli"]. The skill's source/homepage is unknown, which reduces provenance and makes the presence of an external CLI harder to justify without further information.
!
Instruction Scope
The SKILL.md has a CRITICAL precondition: the agent MUST read ../zsxq-shared/SKILL.md for authentication and error-handling rules. That external file likely contains authentication instructions (possibly env var names or token handling). Requiring the agent to read a sibling SKILL.md expands the scope beyond this skill's files and could expose or require access to credentials or other configuration not declared here. The runtime instructions also tell the agent to run zsxq-cli api call with user-supplied params — which is expected for this purpose, but the dependency on an external, undeclared shared file is the main scope concern.
Install Mechanism
This is instruction-only with no install spec, which is lower risk because nothing is written to disk by the skill itself. However, it relies on an external binary (zsxq-cli). The skill provides no install mechanism or provenance for that binary, so the agent/operator must trust and separately install zsxq-cli; lack of an install spec or source for the CLI is a gap that increases risk.
!
Credentials
The registry lists no required environment variables or primary credential, but the SKILL.md explicitly requires reading ../zsxq-shared/SKILL.md for authentication. That suggests this skill implicitly depends on credentials or env vars declared elsewhere but does not enumerate them here. Missing explicit declaration of required credentials (TOKEN/KEY/PASSWORD) is disproportionate for auditing and increases the chance the agent will access unspecified sensitive data.
Persistence & Privilege
always:false and no install spec — the skill does not request permanent presence or elevated privileges. It does not appear to modify other skills or system-wide settings. Autonomous invocation is allowed but is the platform default and not a standalone concern here.
What to consider before installing
This skill appears to do what it says (manage Zsxq groups) but has two red flags: (1) the SKILL.md requires the agent to read ../zsxq-shared/SKILL.md for authentication, yet this skill does not declare which credentials or env vars it needs; and (2) it expects a zsxq-cli binary but provides no install/source or provenance. Before installing or enabling this skill: inspect the referenced ../zsxq-shared/SKILL.md to learn exactly what credentials or tokens it requires; verify the zsxq-cli binary source and trustworthiness (official repo or package); ensure you are comfortable with any environment variables or files the shared SKILL.md asks the agent to access; and avoid enabling the skill if the referenced shared file or the CLI come from an unknown/untrusted origin. If you can obtain the zsxq-shared SKILL.md and verify the CLI origin, the risk is much lower.

Like a lobster shell, security has layers — review code before you run it.

latestvk9778xdf7jt6rjjk7vfx8k6pmx855nat
148downloads
0stars
1versions
Updated 1w ago
v0.1.0
MIT-0
@zhuguojie-unnoo
latest
Download

group (v1)

CRITICAL — 开始前 MUST 先用 Read 工具读取 ../zsxq-shared/SKILL.md,其中包含认证、错误处理规则。

Core Concepts

  • 星球(Group):知识星球的社群单元,由 group_id(纯数字)唯一标识。用户可以是创建者(owner)或成员(member)。
  • 主题(Topic):星球内的内容单元,包括帖子(talk)、提问(q&a)、文章(article)等,由 topic_id 唯一标识。
  • 标签(Hashtag):星球内的分类标签,由 hashtag_id 标识,可附加到主题上。

Resource Relationships

Group (group_id)
├── Topic (topic_id) — talk / q&a / article
│   ├── Comment (comment_id)
│   └── Hashtag 标签
└── Hashtag (hashtag_id)
    └── Topic 列表

Shortcuts(推荐优先使用)

Shortcut 是对常用操作的高级封装(zsxq-cli group +<verb> [flags])。有 Shortcut 的操作优先使用。

Shortcut说明
+list列出当前用户加入的所有星球,支持分页,输出 group_id 和名称表格
+topics列出星球内最新主题,支持分页游标,输出 topic_id / 类型 / 标题 / 时间表格
+hashtags列出星球内所有标签及主题数量

API(通过 zsxq-cli api call 直接调用)

zsxq-cli api list                           # 查看所有可用工具
zsxq-cli api call <tool> --params '<json>'  # 调用工具

Shortcut 未覆盖的高级操作:

工具参数说明
search_groupskeyword按关键词搜索星球
search_group_membersgroup_id, keyword, limit搜索星球成员
get_hashtag_topicshashtag_id, limit, end_time列出某标签下的主题(分页)

Comments

Loading comments...