by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to implement a dedao.cn scraper, but it has several red flags you should address before running: (1) run_parse.js writes output to a hard-coded Windows path (D:/notes/biji/0000) instead of the documented ./images or a configurable outputDir — change this to a relative or configurable directory to avoid overwriting files; (2) SKILL.md and test files reference parseDedao/other exports but parse.js only exports parsePage — verify and fix the API surface so you know which function...详细分析 ▾
⚠ 用途与能力
The name/description and most code align: parse a dedao.cn share link, extract text and images using Playwright. However there are incoherences: SKILL.md and examples mention parseDedao and other site-specific exports, but scripts/parse.js only exports parsePage. SKILL.md says images default to ./images/, but run_parse.js writes to a hard-coded Windows path (D:/notes/biji/0000). These mismatches suggest sloppy packaging and unexpected filesystem behavior.
⚠ 指令范围
SKILL.md describes extracting content and saving images and provides usage examples. The runtime code does that, but run_parse.js will write markdown and image files to an absolute path (D:/notes/...), which is not documented in SKILL.md. The parse implementation fetches pages and image URLs (network I/O) and writes files to disk — appropriate for a scraper but the undocumented hard-coded path and mismatched exported functions broaden scope unexpectedly.
ℹ 安装机制
There is no install spec (instruction-only plus shipped scripts). SKILL.md lists dependencies (Playwright and Chromium) but the package does not include installation steps. Playwright requires installing browser binaries and can be large; absence of an install mechanism means the environment must already provide these, which may confuse users and lead them to run the scripts in an environment missing required components.
⚠ 凭证需求
The skill requests no secrets or env vars, which is appropriate. However the code writes files to the local filesystem and uses a hard-coded absolute Windows path (D:/notes/biji/0000). This is disproportionate to the description's implied default of './images' and could overwrite or create files in unexpected locations. There are no network exfiltration endpoints in the code, but file-write behavior requires care.
ℹ 持久化与权限
The skill is not always-enabled and does not modify other skills or agent configs. It does, however, write persistent files to disk when executed (markdown and images). That is expected for this use case, but the hard-coded output location increases the chance of undesired persistence on the host.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/3/27
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install parse-deodao-shared-link
镜像加速npx clawhub@latest install parse-deodao-shared-link --registry https://cn.longxiaskill.com镜像同步中