AIRS-具身智能招投标采集器
v1.0.4AIRS 具身智能 天眼查 招投标 数据查询工具。 查询企业在天眼查平台的招投标/中标公示信息,导出结构化 CSV 报表,基于浏览器自动化技术实现。 Keywords: AIRS, 具身智能, 天眼查, 招投标, embodied intelligence, bidding, tianyancha
⭐ 1· 105·0 current·0 all-time
byairs-git@airs-guest
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (Tianyancha bidding data collector) match the code and SKILL.md. The repository contains Puppeteer-based modules for searching companies, downloading bidding records, CSV/Excel writers, and anti-scraping detection — all appropriate for the stated task.
Instruction Scope
SKILL.md and code instruct the user to start Chrome with --remote-debugging-port and a dedicated user-data-dir and to manually log into Tianyancha; the tool interacts with the opened browser, detects captchas/security pages, and asks the user to solve them. This is within expected scope for browser-automation scraping, but it means the script will act on a browser session you launch (and can access pages, DOM, and any data in that profile). The code does not attempt to read unrelated system files or transmit data to unknown external endpoints.
Install Mechanism
No registry install spec in metadata; SKILL.md tells users to run npm install in the scripts directory. Dependencies are standard (puppeteer-core, csv-writer, winston, xlsx). package-lock references a mirror (registry.npmmirror.com) for resolved package tarballs — this is a non-default registry mirror (common in some regions) and worth noting: npm will use your registry settings when installing. Overall install method (npm) is expected but moderate risk compared to instruction-only skills because installing third‑party packages pulls remote code.
Credentials
The skill declares no required environment variables or credentials. The code reads an optional TIANYANCHA_DEBUG_PORT env var for the debug port (default 9222) but does not require secrets or API tokens. It requires a user-run Chrome session and manual login to Tianyancha (no credential storage or remote auth flows are present).
Persistence & Privilege
The skill is not always-enabled and uses normal autonomous invocation. It writes outputs to its own data directory and can update the local assets MD file (updateCompanyList) — expected behavior for this tool. It does not request persistent platform-wide privileges or modify other skills.
Assessment
This skill appears to do what it says, but take these precautions before installing or running it:
- Inspect and run in an isolated environment (VM/container) if you worry about third‑party npm packages. npm install executes remote code from the registry.
- When starting Chrome, use a dedicated temporary user-data-dir (as recommended) so the script does not access your normal profile or cookies; delete that profile after use.
- The tool controls a live browser session you start. It will see pages, DOM, and any data in that profile while running — do not run it against a profile containing sensitive logins you don't want accessed.
- The package-lock shows packages resolved from a mirror (registry.npmmirror.com). If you prefer the official npm registry, run npm install with your preferred registry or verify package integrity.
- The tool relies on manual login and manual captcha solving; it does not exfiltrate your credentials, but you should avoid pasting passwords into unknown prompts. Review the code (especially network calls and any new/omitted files) if you plan to run it with elevated privileges.
- Be mindful of Tianyancha's terms of service and legal/regulatory constraints for automated scraping in your jurisdiction.Like a lobster shell, security has layers — review code before you run it.
latestvk976t1pnvvwqv4ag1a79a4t2ds84xwzc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.