by 安全扫描
OpenClaw
安全
high confidenceThe skill's code, runtime instructions, and resource access align with its stated purpose of aggregating cross‑platform trending topics; it performs local scraping and clustering with no unexplained network endpoints or secret access.
评估建议
This skill is coherent with its description: it scrapes several public hot‑list pages, clusters titles locally, and formats a short markdown summary. Before installing, consider: (1) it executes Node.js code — review or run the scripts in a sandbox if you don't trust the author; (2) scraping can trigger site rate limits or violate terms of service—ensure you comply; (3) the SKILL.md expects the host to send the markdown to Feishu via a messaging tool — verify which account/channel will receive m...详细分析 ▾
✓ 用途与能力
Name/description match the implementation: index.js fetches top lists from Weibo/抖音/头条/百度/知乎/腾讯, writes hot-data.json; format.js clusters and formats results. No unrelated services, binaries, or secrets are requested.
✓ 指令范围
SKILL.md instructs running the two scripts and sending formatted stdout to a messaging tool (Feishu). The scripts only read/write the declared hot-data.json and perform scraping and local clustering; they do not instruct reading other system files or environment variables.
✓ 安装机制
No install spec; both scripts use only Node.js built-ins (https, fs, zlib, path, url). There are no downloads from third‑party URLs or extracted archives. Risk is limited to executing provided JS with node.
ℹ 凭证需求
Skill requests no environment variables or credentials. One small mismatch: SKILL.md expects a 'message' tool to send output to Feishu (action=send, channel=feishu) but the skill does not declare Feishu credentials — this is likely intentional because messaging is provided by the host platform, but you should confirm the platform's message tool will behave as expected and that you trust the destination channel.
✓ 持久化与权限
always is false and the skill is user-invocable; it does not request persistent agent-level privileges or modify other skills. Autonomous invocation is allowed by default but not combined with other risky privileges here.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/3
初始版本
● 无害
安装命令 点击复制
官方npx clawhub@latest install realtime-hot
镜像加速npx clawhub@latest install realtime-hot --registry https://cn.clawhub-mirror.com
技能文档
执行步骤
- 抓取数据:
node ./scripts/index.js
./scripts/hot-data.json(微博/抖音/头条/百度/知乎/腾讯六平台各前50条)- 读取并聚类:
node ./scripts/format.js
- 发送:用 message 工具发送 format.js 的 stdout 输出
强制规则
- 模型只负责运行脚本,不得自行生成或修改格式
- 只用 exec 和 read,禁止 browser、agent-browser、web_fetch
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制