ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Zsxq User

v0.1.0

知识星球用户信息:查看当前登录用户的个人资料、查询跨星球的最近发主题足迹。当用户需要查看自己的用户 ID、昵称、头像、认证状态,或查看自己最近在各星球发过的主题时使用。

0· 150·0 current·0 all-time
by@zhuguojie-unnoo

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for zhuguojie-unnoo/zsxq-user.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Zsxq User" (zhuguojie-unnoo/zsxq-user) from ClawHub.
Skill page: https://clawhub.ai/zhuguojie-unnoo/zsxq-user
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install zsxq-user

ClawHub CLI

Package manager switcher

npx clawhub@latest install zsxq-user
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (view current user info and cross-group footprints) aligns with the instructions to call zsxq-cli user +info and +footprints. However, SKILL.md declares a required binary (zsxq-cli) in metadata while the registry metadata above lists no required binaries — this mismatch should be resolved.
Instruction Scope
Runtime instructions are narrow and CLI-focused (run zsxq-cli user +info / +footprints). They explicitly require the agent to READ ../zsxq-shared/SKILL.md first for authentication/error rules. Reading that shared SKILL.md is reasonable for auth guidance, but it introduces dependence on another skill's contents (and potentially on where credentials are stored). The instructions do not ask the agent to read arbitrary system files or exfiltrate data.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — it does not write code to disk or download artifacts, which is low risk. The only runtime requirement is the external CLI binary (zsxq-cli) referenced in SKILL.md.
!
Credentials
No environment variables, credentials, or config paths are declared in the registry metadata, yet the skill depends on authentication (handled via the referenced zsxq-shared/SKILL.md) and on the zsxq-cli binary. The skill does not declare where or how credentials are provided; that gap is concerning because the shared doc may reference environment variables or stored tokens not disclosed here.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request persistent system presence or attempt to modify other skills. The only elevated action is reading the shared SKILL.md for auth rules, which is within scope but should be reviewed.
What to consider before installing
Before installing or enabling this skill: (1) Inspect the referenced ../zsxq-shared/SKILL.md to see exactly how authentication works and where credentials/tokens are stored or read from; confirm it does not instruct the agent to read unrelated files or environment variables. (2) Verify the zsxq-cli binary is trustworthy (where it comes from) and that the registry metadata correctly lists it as a requirement. (3) Confirm there are no hidden endpoints or instructions in zsxq-shared that would transmit your credentials to an unexpected server. (4) If you cannot review zsxq-shared, treat this skill as higher risk and avoid granting it autonomous invocation until the auth details are clear.

Like a lobster shell, security has layers — review code before you run it.

latestvk97et4f8ecbvasf83ewfxsssth855gfp
150downloads
0stars
1versions
Updated 1w ago
v0.1.0
MIT-0
@zhuguojie-unnoo
latest
Download

user (v1)

CRITICAL — 开始前 MUST 先用 Read 工具读取 ../zsxq-shared/SKILL.md,其中包含认证、错误处理规则。

Core Concepts

  • 用户(User):当前已登录的知识星球账户,由 user_id(纯数字)唯一标识。user_idgroup +list、搜索成员等操作中被用作参数。

Shortcuts(推荐优先使用)

Shortcut说明
+info查看当前登录用户的完整个人资料,含 user_id、昵称、认证状态
+footprints查看自己在所有星球发过的主题(跨星球足迹),支持分页

API(通过 zsxq-cli api call 直接调用)

工具参数说明
search_group_membersgroup_id, keyword, limit在星球内按昵称搜索成员,获取其 user_id

Comments

Loading comments...