by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's description promises multi-source, location-aware Chinese box-office and showtime scraping (Bocha, Tavily, 猫眼/淘票票, agent-browser) but the package metadata, declared requirements, and included code are inconsistent — required API keys and install steps are referenced in docs but not declared, and the runtime script only fetches Rotten Tomatoes/Variety — this mismatch warrants caution.
评估建议
This package has inconsistent documentation vs code. Before installing or supplying credentials: (1) Ask the author to clarify and update the registry metadata to declare required env vars (BOCHA_API_KEY, TAVILY_API_KEY) and any binaries (agent-browser, node). (2) Confirm whether the skill will actually call Bocha/Tavily/猫眼/淘票票 and whether you must install agent-browser globally (npm install -g) — global npm installs modify your system. (3) If you must provide API keys, only provide scoped keys ...详细分析 ▾
⚠ 用途与能力
SKILL.md and CONFIG.md describe heavy reliance on Bocha API, Tavily, and agent-browser for real-time Maoyan/淘票票 data and mention BOCHA_API_KEY and TAVILY_API_KEY; the public registry metadata lists no required env vars. The included Python script (nowplaying.py) only fetches Rotten Tomatoes and Variety and does not implement Bocha/Tavily/猫眼/淘票票 scraping or agent-browser integration. This is a substantive mismatch between claimed capabilities and actual code/declared requirements.
⚠ 指令范围
The runtime instructions direct the agent to: check for user location (city/coordinates) from system context, run external tools (agent-browser, node tavily-search script), call remote APIs with API keys, spin up a local HTTP server, and take browser-rendered screenshots. Those actions access system context, start local servers, and invoke external tools — yet none of those env vars/binaries are declared in the skill manifest. The SKILL.md also mandates strict output structure and real-time scraping of third‑party Chinese sites (猫眼/淘票票) which can require more privileges or tooling than the provided code uses.
ℹ 安装机制
There is no install spec in the skill package (instruction-only install). However the docs instruct installing agent-browser globally via npm and using an external node script (tavily-search). Because installation steps are only in prose and not declared in metadata, an agent following SKILL.md could attempt to run npm install -g, which modifies the system environment. That action is not pre-declared and increases operational risk. The included code itself has no package install step and only uses Python stdlib HTTP calls.
⚠ 凭证需求
CONFIG.md and SKILL.md expect BOCHA_API_KEY and TAVILY_API_KEY (and implicitly possible BRAVE_API_KEY / SEARXNG_URL), but the skill's manifest lists no required environment variables or primary credential. The mismatch means a user might need to supply sensitive API keys not signaled by the registry metadata. Additionally SKILL.md tells the agent to probe for user location/context without declaring how that data is accessed or authorized.
✓ 持久化与权限
The skill is not marked always:true and does not request system-wide persistence. It does not modify other skills' configs in the provided files. The package will not be force-included in every agent run based on metadata.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.1.02026/4/16
添加完整执行脚本 nowplaying.py 和 run.sh,支持实时获取院线电影信息
● 可疑
安装命令 点击复制
官方npx clawhub@latest install nowplaying-xhs
镜像加速npx clawhub@latest install nowplaying-xhs --registry https://cn.clawhub-mirror.com
技能文档
未提供 SKILL.md 文档内容,无法翻译。
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制