📦 Fastmoss Report — TikTok美区配饰热榜
v1.0.1一键生成美国时尚配饰品类TikTok日榜/周榜Top10数据报告,含趋势分析与选品建议,助力跨境卖家快速锁定爆款。
1· 338·2 当前·2 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
Before installing or running this skill, be aware it asks you to provide a FastMoss account and password and to store them in environment variables (or in agent memory). That is sensitive—prefer not to give primary account credentials to an autonomous agent. Ask the author to: (1) update the registry metadata to list all required env vars and why they're needed; (2) clarify how Vercel and Feishu will be authenticated (provide explicit tokens/permissions rather than relying on implicit browser fl...详细分析 ▾
ℹ 用途与能力
The described functionality (scrape FastMoss, build HTML report, deploy to Vercel, optionally post to Feishu) is coherent with the variables and steps in SKILL.md (account, category, region, deploy dir, group ID). However the public registry metadata states no required env vars while SKILL.md lists multiple environment variables (including credentials). That metadata mismatch is an incoherence and should be corrected.
⚠ 指令范围
SKILL.md directs the agent to use a browser tool to log in to FastMoss, read environment variables (explicitly ~/.openclaw/.env or system env), store/change a rotating password in agent memory, write a deploy directory, and push a Vercel deployment and Feishu notification. The instructions are vague about how Vercel/Feishu authentication should be performed and do not limit or describe any external endpoints for data exfiltration; the step to 'use browser tool' + credentials could expose sensitive data if the agent transmits it. The memory use for password rotation is also a potential leakage vector.
✓ 安装机制
This is an instruction-only skill with no install spec and no code files, so it does not install third-party binaries or download archives. That lowers install-time risk. The skill does assume runtime tools (a browser tool and an ability to deploy to Vercel) are present but does not install them itself.
⚠ 凭证需求
SKILL.md requests sensitive environment values: FASTMOSS_ACCOUNT and FASTMOSS_PASSWORD (used to log into a third-party site). Those are reasonably needed for login, but the registry metadata omitted declaring them. It also asks for FEISHU_GROUP_ID and VERCEL_DEPLOY_DIR but does not request Feishu or Vercel auth tokens or explain how deployment/auth will be handled—this is inconsistent and could lead the agent to attempt alternative, unexpected authentication flows. Requiring a rotating password stored in agent memory is also questionable practice.
✓ 持久化与权限
The skill is not force-included (always:false) and is user-invocable; it uses the agent's workspace (~/.openclaw/workspace/fastmoss-...) and agent memory for state. It does not request elevated system persistence or attempt to modify other skills' configs. This privilege level is typical for such tasks.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/3/6
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install fastmoss-report
镜像加速npx clawhub@latest install fastmoss-report --registry https://cn.longxiaskill.com