PKU Info Auth
v1.0.0PKU unified credential management CLI (统一凭据管理). Use this skill when the user or AI Agent needs to authenticate with PKU services, manage stored credentials,...
⭐ 0· 94·0 current·0 all-time
by@wjsoj
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (PKU credential manager) match the SKILL.md: it documents storing credentials in the OS keyring and an agent workflow for logging into PKU services. It does not request unrelated permissions, binaries, or credentials. One minor note: the skill references external CLIs (treehole/course/campuscard/elective) but does not provide or install them — the agent will assume those tools are present.
Instruction Scope
Instructions are narrowly scoped to credential storage/status and running other PKU CLIs. They do reference environment variables that hold secrets (PKU_USERNAME, PKU_PASSWORD, PKU_SMS_CODE) and show examples of setting an env var for an SMS code. The SKILL.md also instructs agents not to read the keyring directly and to use info-auth commands, which is reasonable. Because the skill tells the agent to run other CLIs (which the skill doesn't supply or verify), an agent following these instructions could execute arbitrary external binaries if they exist on the host; confirm those CLIs are trusted before proceeding.
Install Mechanism
Instruction-only skill with no install spec or code files — lowest risk from installation. Nothing will be written to disk by the skill itself. No download URLs or package installs are present.
Credentials
The registry metadata declares no required env vars or credentials, and the skill itself does not demand secrets up front. The SKILL.md references PKU_USERNAME/PKU_PASSWORD/PKU_SMS_CODE as possible sources of credentials, which is appropriate for a credential helper, but it means agents or users may be asked to place secrets into environment variables. Be cautious about where those env vars are set (avoid exposing them in long-lived shell profiles or shared CI logs).
Persistence & Privilege
The skill is not marked always:true, does not request persistent presence or elevated privileges, and is user-invocable. It does not modify other skills' configurations. Autonomous invocation is allowed by default but not combined with other concerning factors here.
Assessment
This skill appears coherent for acting as a PKU credential helper: it instructs storing credentials in the OS keyring and how an agent should use them. Before installing/using it, verify the origin — there is no source repository or homepage listed. Specifically: 1) Confirm the info-auth and the referenced PKU CLIs (treehole/course/campuscard/elective) are legitimate binaries you trust and install them from official sources. 2) Prefer using the OS keyring flow (info-auth store) rather than putting passwords in environment variables or shell profiles; if you must use PKU_SMS_CODE in an env var, set it only for the single command (as in PKU_SMS_CODE=123456 treehole login -p) and avoid persisting it. 3) Ask the provider for source code or release artifacts (repository URL, signed releases, or package manifests); that would raise confidence to high. 4) If you want extra caution, run info-auth commands in a constrained environment (local user account with separate credentials) and audit what external CLIs do when invoked.Like a lobster shell, security has layers — review code before you run it.
authvk972rkab1wew9yqjxawy7bb0zd84hbmvclivk972rkab1wew9yqjxawy7bb0zd84hbmvcredentialvk972rkab1wew9yqjxawy7bb0zd84hbmvkeyringvk972rkab1wew9yqjxawy7bb0zd84hbmvlatestvk972rkab1wew9yqjxawy7bb0zd84hbmvpkuvk972rkab1wew9yqjxawy7bb0zd84hbmvrustvk972rkab1wew9yqjxawy7bb0zd84hbmv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.