by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's declared metadata is simple, but the runtime instructions require an API key and read a global .env (not declared in the manifest) and will POST data to an external service — this mismatch and undeclared credential use are concerning.
评估建议
This skill calls an external API (default https://api.tangshiye.cn) and requires an API key (TSY_API_KEY) read from a global .env, but the skill metadata does not declare that requirement — that's the primary red flag. Before installing, verify: 1) you trust the remote domain (api.tangshiye.cn) and its privacy/security practices; 2) the API key you supply is scoped minimally and not your broader credentials; 3) you are comfortable that the key will be sent as a query parameter (may be logged by ...详细分析 ▾
ℹ 用途与能力
The name/description say: call a backend API and output the response data, which matches the SKILL.md and the small helper script. However the manifest lists no required environment variables or primary credential while SKILL.md explicitly reads TSY_API_URL and TSY_API_KEY from a global .env — this metadata/instruction mismatch is unexpected.
ℹ 指令范围
Instructions are narrowly scoped: run the bundled Python script to produce a JSON body, POST it to {BASE_URL}/gzh/findTopic?apikey={SATOKEN}, and output the response.data raw. That scope is coherent with the stated purpose. Concern: the skill requires reading a global .env for TSY_API_KEY/TSY_API_URL (an access to host configuration) which is not declared; the agent will send the API key as a query parameter to an external domain and then output raw response data without filtering.
✓ 安装机制
No install spec; the only code is a tiny, readable Python script that generates timestamps. No downloads or extracted archives — low install risk.
⚠ 凭证需求
SKILL.md requires TSY_API_KEY (called SATOKEN) and optionally TSY_API_URL from a global .env, but the manifest declares no required env vars or primary credential. Requiring a secret API key is proportionate to calling a protected backend, but failing to declare that in metadata is an inconsistency that could lead to unexpected secret exposure. Also the API key is sent as a query parameter (?apikey=...), which may be logged by intermediaries — a privacy risk the user should consider.
✓ 持久化与权限
always is false, no install-time changes or system-wide modifications, and the skill does not request persistent presence or elevated privileges.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/22
tsy-gzh-find-topic 1.0.0 - 初始版本,支持通过后端接口获取公众号爆款选题推荐。 - 调用 POST {BASE_URL}/gzh/findTopic,自动处理参数与请求体生成。 - 只输出接口响应的原始 data 字段,不进行任何加工、分析或补充。 - 严格按 HTTP 和接口状态判断输出结果,若配置或请求异常则直接报错。
● 无害
安装命令 点击复制
官方npx clawhub@latest install tsy-gzh-find-topic
镜像加速npx clawhub@latest install tsy-gzh-find-topic --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制