ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

PKU Claspider

v1.0.0

北京大学课程信息爬取 CLI (dean.pku.edu.cn 教务部 + elective.pku.edu.cn 选课网 + onlineroomse.pku.edu.cn 智云课堂)。当用户提及 claspider、课程爬虫、课程信息爬取、课程目录、全校开课、按院系/教师/关键词查课、合并课程数据 时使用此...

0· 56·0 current·0 all-time
by@wjsoj

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for wjsoj/pku-claspider.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "PKU Claspider" (wjsoj/pku-claspider) from ClawHub.
Skill page: https://clawhub.ai/wjsoj/pku-claspider
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install pku-claspider

ClawHub CLI

Package manager switcher

npx clawhub@latest install pku-claspider
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
SKILL.md describes a compiled CLI (crates/, src/*.rs) and runtime commands (claspider dean/elective/zhiyun/merge). However the skill bundle is instruction-only with no binaries, no install spec, and registry metadata lists no required binaries. That is inconsistent: the instructions assume a local 'claspider' tool exists but the skill does not provide or declare how to obtain it.
!
Instruction Scope
Runtime instructions explicitly reference reading/using an existing elective session directory (~/.config/info/elective/) and copying a browser JWT cookie (_token) for zhiyun. Those are sensitive local artifacts. The skill text instructs reuse of local session material even though the skill metadata declared no config paths; an agent following these instructions could be directed to access private credentials/config not declared up front.
!
Install Mechanism
No install specification or downloadable artifact is provided despite detailed references to source files and a CLI. This leaves unclear how the described tool would be installed or whether following the SKILL.md would cause the agent to fetch code from external locations (not specified). Instruction-only packaging plus expectation of a local binary is a coherence problem and a potential operational risk.
!
Credentials
The skill declares no required environment variables or credentials but the instructions require sensitive tokens/sessions in practice: a zhiyun JWT copied from the browser and reuse of the elective session stored at ~/.config/info/elective/. Those are effectively secrets but are not declared as required — the mismatch is disproportionate and should be explicitly documented and justified.
!
Persistence & Privilege
The skill states it has no own session storage, but instructs reuse of another tool's session directory (~/.config/info/elective/). Accessing or reusing other tools' credentials/config is a privileged action relative to a simple scraper and should be declared. The skill does not request persistent installation privileges (always:false), but its instructions imply reading user-local secrets which raises privilege concerns.
What to consider before installing
This skill's README describes a local Rust CLI that uses your browser JWT (_token) and an existing elective session stored in ~/.config/info/elective/, but the package contains no code, no install instructions, and declares no required credentials — that mismatch is a red flag. Before installing or running anything: 1) ask the publisher for the actual binary/source and an install spec (or a link to a vetted release). 2) Confirm exactly how the tool accesses ~/.config/info/elective/ and whether it will read or modify those files. 3) Never paste your browser JWT or IAAA credentials into an unverified tool; prefer scoped API tokens or run the tool in an isolated VM/container. 4) If you need this functionality, prefer a variant that documents required secrets (and why), or obtain source code to review. Absence of regex scan findings is not assurance — the manifest/instructions themselves are the source of the concern.

Like a lobster shell, security has layers — review code before you run it.

catalogvk970sj6yrxj298ym1215p9xhg184wexcclivk970sj6yrxj298ym1215p9xhg184wexccoursevk970sj6yrxj298ym1215p9xhg184wexccrawlervk970sj6yrxj298ym1215p9xhg184wexclatestvk970sj6yrxj298ym1215p9xhg184wexcpkuvk970sj6yrxj298ym1215p9xhg184wexcrustvk970sj6yrxj298ym1215p9xhg184wexcspidervk970sj6yrxj298ym1215p9xhg184wexc
56downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
@wjsoj
catalogclicoursecrawlerlatestpkurustspider
Download

claspider - 北大课程信息爬取 CLI

A CLI scraper that pulls course catalog data from multiple PKU sources and merges them into a queryable JSON export.

Architecture

  • Crate location: crates/claspider/
  • 数据源
    • 教务部课表查询 (dean.pku.edu.cn)——无需登录,HTML 抓取,覆盖全校所有开课
    • 选课系统 (elective.pku.edu.cn)——需要 IAAA 登录(复用 pku-elective crate 的 session),按课程分类遍历;能拿到选课网特有的备注、教学安排、课程简介
    • 智云课堂 (onlineroomse.pku.edu.cn)——需要浏览器 _token cookie(JWT),按周查询有直播/录播的课程
  • 合并:同一门课在三个源里的字段互补,merge 子命令把它们按课号对齐,产出一份最全的 JSON
  • 无自己的 session 存储;选课相关的登录状态直接复用 ~/.config/info/elective/

Key Source Files

  • src/main.rs — tokio::main 调用 pku_claspider::run()
  • src/lib.rs — Clap CLI 定义 + dispatch
  • src/dean.rs — 教务部 HTML 抓取
  • src/elective_query.rs — 选课网抓取(复用 pku_elective::client_build
  • src/zhiyun.rs — 智云课堂 JWT API
  • src/model.rs — 统一的 Course 结构 + 合并算法
  • src/display.rs — 终端渲染

CLI Commands

Command用途
dean --term 25-26-2 [--dept 00048] [--keyword ...] [--teacher ...] [--json]从教务部抓课(无需登录)
elective --category speciality [--dept ...] [--keyword ...] [--json]从选课网抓课(需先 elective login -p
zhiyun --token <JWT> --week-start 2026-04-13 [--detail] [--json]从智云课堂抓有直播/录播的课
merge --term 25-26-2 --category speciality [--dept ...] [--zhiyun-token ...] [--zhiyun-week ...] [--json]三方合并

选课网分类取值:speciality(专业课)/ politics / english / gym / tsk_choice(通选)/ pub_choice / liberal_computer / ldjyk / szxzxbx / education_plan_bk

典型用法

# 纯教务部抓本学期信科全部开课,导出 JSON
claspider dean --term 25-26-2 --dept 00048 --json > info.json

# 选课网补充(要求已 elective login)
elective login -p
claspider elective --category speciality --dept 00048 --json > info_elective.json

# 智云课堂:从浏览器拿 _token cookie
claspider zhiyun --token eyJhbGc... --week-start 2026-04-13 --json > info_zhiyun.json

# 三方合并
claspider merge --term 25-26-2 --category speciality --dept 00048 \
  --zhiyun-token eyJhbGc... --zhiyun-week 2026-04-13 --json > info_merged.json

Development Notes

  • 所有文案中文;错误 anyhow::Result + .context("...")
  • dean 源是最稳定的(HTML 结构稳定、无需登录),合并的主干以它为准
  • 选课网抓取通过 pku_elective::client_build(cookie_store) 复用 elective crate 的 reqwest client 工厂, 避免重复实现 IAAA 登录;但 claspider 本身没有自己的 session 目录
  • 智云 token 不是 IAAA 产物,是智云前端自己的 JWT,只能手动从 onlineroomse.pku.edu.cn 浏览器 cookie 里复制,没有 CLI 登录入口
  • 合并算法 key 是课号(含班号),在 src/model.rs 里实现

和其他 crate 的区别

  • 不是 elective(选课/退课工具)——claspider 只读不写,不调用 elect/drop
  • 不是 treehole course(查单个学生本学期的课表)——claspider 抓的是全校目录
  • 不是 course(北大教学网 / Blackboard)——那是作业/课件平台,和课程目录无关

Comments

Loading comments...