Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (SJTU Shuiyuan forum guide) match the SKILL.md content. All described capabilities are informational (browse, post, reply, search, notifications) and align with Discourse endpoints listed. The skill does not request unrelated binaries, credentials, or system access.
Instruction Scope
SKILL.md is purely descriptive (UI flow, Discourse API endpoints, cookie names, browser features). It does not instruct the agent to read local files, environment variables, or transmit data to external endpoints. Note: it documents cookie/session names and POST endpoints — performing interactive actions (creating posts, reading notifications) would require authentication, which the skill does not itself provide or request.
Install Mechanism
No install spec and no code files — lowest-risk, instruction-only skill. Nothing is downloaded or written to disk.
Credentials
The skill declares no required environment variables, credentials, or config paths. That is proportionate for a read/guide-only skill. Be aware that actual posting/reply actions on the forum require jAccount authentication or API tokens; the skill does not request or manage those credentials.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent presence or modify other skills or system settings. Autonomous invocation is allowed by platform default but not requested by the skill itself.
Assessment
This skill is an offline/reference guide and appears safe to install. Before allowing the agent to act on your behalf on the forum, remember: (1) the skill does not manage login — do not share your jAccount password directly; prefer site-supported OAuth or API tokens if available; (2) posting or reading private notifications requires authentication and exposing session cookies or tokens can compromise your account — never paste session cookies into third-party interfaces unless you understand the risk; (3) if the agent asks for credentials to perform actions, consider performing those actions yourself in the browser instead or create a limited-scope token. If you need the agent to post or manage notifications programmatically, require it to use an explicit, revocable API token rather than permanent account credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97fcvbvn6art7z01p2s5nxhk1848t2f
License
MIT-0
Free to use, modify, and redistribute. No attribution required.