by 安全扫描
OpenClaw
安全
high confidenceNULL
评估建议
This skill appears to do what it says, but review and run safely: 1) Inspect trending.py yourself (it performs HTTP requests to github.com and to Telegram/webhook URLs you provide). 2) Do NOT place bot tokens or webhook URLs directly in a public crontab or on the command line (they appear in process lists and some system crontabs); instead use environment variables or a protected config file with restrictive permissions. 3) Verify any webhook endpoints you use are trustworthy and rotate tokens i...详细分析 ▾
✓ 用途与能力
The repository, SKILL.md examples, and trending.py implement exactly the advertised functionality (fetch GitHub Trending, format results, send via Telegram/webhook). No unrelated binaries, env vars, or services are requested.
ℹ 指令范围
SKILL.md only instructs running trending.py and setting up a cron job. One security-relevant note: examples show passing tokens/webhooks on the command line and in crontab, which can expose secrets via process lists or crontab visibility. The instructions do not tell the agent to read unrelated files or secrets.
✓ 安装机制
No install spec is provided (instruction-only skill with an included .py). Nothing is downloaded or written by an installer; risk from installation is minimal.
ℹ 凭证需求
The skill requires no declared environment variables; it accepts tokens/webhooks as runtime arguments. That is proportional to its purpose, but passing secrets on command line or crontab is insecure — better to use protected env vars or a config file with restricted permissions.
✓ 持久化与权限
The skill does not request persistent presence (always:false) and does not modify other skills or system settings. It runs on demand or via user-configured cron.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/19
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install 9527-github-trending
镜像加速npx clawhub@latest install 9527-github-trending --registry https://cn.longxiaskill.com