by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's code appears to do only what it says (fetch and parse top.baidu.com) and contains no obvious exfiltration, but its metadata/instructions under‑declare required tools (python3 and the openclaw web_fetch tool) and show minor metadata inconsistencies — review before installing or running.
评估建议
This skill's code matches its stated purpose (scraping and parsing https://top.baidu.com). Before installing or running it: 1) Verify you have Python 3 and the openclaw web_fetch tool available — the skill does not declare these but requires them at runtime. 2) Inspect or run the scripts in a sandbox/network-monitored environment the first time to confirm only top.baidu.com is contacted. 3) Note minor metadata inconsistencies (author strings differ between files and package.json lists 'python3' ...详细分析 ▾
⚠ 用途与能力
The skill claims to fetch and parse Baidu hot lists, and the bundled scripts do exactly that. However the package/registry metadata lists no required binaries while the runtime clearly invokes python3 and/or the 'openclaw web_fetch' tool. A legitimate deploy would normally declare python3 and the web_fetch tool as required. This mismatch is an incoherence to be aware of.
⚠ 指令范围
SKILL.md and scripts restrict network access to top.baidu.com and the code parses only HTML input; there are no reads of ~/.ssh, .env, or other sensitive files. Still, the declared allowed-tools (web_fetch, Bash) omit python3 even though the instructions show running python3 scripts; baidu_fetch.py also expects HTML on stdin. The instructions rely on external tooling not declared in requirements.
ℹ 安装机制
No install spec (instruction-only) — lowest install risk and nothing is downloaded at install time. The repository includes local scripts (Python and Bash) rather than fetching remote code. This is generally low risk, but running the scripts requires local tools (python3, openclaw web_fetch) which are not declared.
✓ 凭证需求
The skill does not request environment variables, credentials, or config paths. The scripts do not appear to read or transmit secrets and they only target the hardcoded top.baidu.com domain.
✓ 持久化与权限
always is false and the skill does not request elevated or persistent platform privileges. It does write a temporary file under /tmp during execution (cleaned up with trap), which is proportional to its purpose.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.3.02026/3/20
Version 1.3.0 of baidu-hot-real removes fallback to simulated data and further simplifies data flow. - Now exclusively fetches real-time data directly from top.baidu.com/board (no simulated data fallback). - Updated documentation to reflect removal of multi-tier downgrade strategy. - Clarified dependency requirements and tool usage. - Added SECURITY.md file.
● 无害
安装命令 点击复制
官方npx clawhub@latest install baidu-hot-real
镜像加速npx clawhub@latest install baidu-hot-real --registry https://cn.clawhub-mirror.com
技能文档
技能概述
此技能直接从百度热搜官网 (https://top.baidu.com/board) 抓取实时热榜数据,不使用模拟数据。
核心功能
| 功能 | 说明 |
|---|---|
| 实时热搜 | 获取当前百度热搜榜 Top 50 |
| 热点标记 | 识别"热"、"新"等标记 |
| 分类标签 | 自动识别热点分类 |
| 多榜单支持 | 热搜/小说/电影/电视剧 |
使用方式
获取热搜榜
# 获取 Top 10
python3 scripts/baidu_real.py 10# 获取 Top 50(默认)
python3 scripts/baidu_real.py
# 获取完整榜单
python3 scripts/baidu_real.py all
输出格式
🔥 百度热搜榜 Top 10 (2026-03-20 11:48)- "国家队"出手 房租最高直降 50% 🔥
- "我熟这片草原 让我上!" 🔥
- 春分"分"的是什么?
- 印度新任驻华大使取了中国名字 🆕
- 女儿弥留之际妈妈偷偷来看捂嘴忍泪 🆕
...
数据来源
- 唯一数据源:https://top.baidu.com/board
- 更新频率:实时(百度官方更新)
- 数据真实性:✅ 100% 真实
与 baidu-hot-cn 的区别
| 特性 | baidu-hot-cn | baidu-hot-real |
|---|---|---|
| 数据源 | 百度 API(可能不可用) | 百度热搜官网 |
| 数据真实性 | ⚠️ API 不可用时返回模拟数据 | ✅ 始终真实 |
| 依赖 | Python requests | Python + web_fetch |
| 推荐度 | ⭐⭐⭐ | ⭐⭐⭐⭐⭐ |
注意事项
- 需要网络连接访问百度
- 访问频繁可能被限流(建议间隔≥1 分钟)
- 数据格式可能随百度官网更新而变化
输出字段
| 字段 | 类型 | 说明 |
|---|---|---|
| rank | int | 排名(1-50) |
| title | string | 热点标题 |
| mark | string | 标记(热/新/无) |
| link | string | 搜索链接 |
| category | string | 分类(自动识别) |
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制