Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
brand-sentinel
v1.0.0品牌舆情哨兵:搜索公开平台的品牌相关信息,自动去重和时效过滤,输出结构化结果供 LLM 做风险分级和预警。 触发场景:监控某品牌/产品的公开舆情、搜索负面信息并按时间筛选、定时巡查品牌口碑、竞品舆情对比。 关键词:品牌监控、舆情搜索、负面信息、口碑巡查、舆情预警、品牌声誉、sentinel、舆情哨兵。 不做的事:...
⭐ 0· 39·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (brand monitoring, de-duplication, time filtering, JSON output) matches the implementation: scripts/sentinel.py calls a web-search API, builds queries, deduplicates URLs, parses dates and emits structured JSON/text. No unrelated binaries, env vars, or config paths are requested.
Instruction Scope
SKILL.md simply instructs the agent to run scripts/sentinel.py or provide a config file. The runtime instructions and the script do not ask the agent to read arbitrary system files or exfiltrate unrelated data. The only runtime network interactions are to a web-search API and a local token service as documented.
Install Mechanism
There is no install spec (instruction-only with an included script). The Python script has no third‑party install step other than optional certifi. No downloads from untrusted URLs or archive extraction are present.
Credentials
The skill does not request environment variables, which is proportional. Two items deserve attention: (1) the script requires a local AutoGLM token service at http://127.0.0.1:18432/get_token — this is an explicit runtime dependency and the token service must be trusted (it provides an Authorization Bearer token used for remote searches); (2) the script contains hardcoded APP_ID and APP_KEY values. Hardcoded keys in shipped code are a maintenance/security smell (they may be public or stale) but are coherent with the code's authentication scheme.
Persistence & Privilege
The skill does not request persistent/always-on inclusion and does not modify other skills or system-wide agent settings. It runs only when invoked.
Assessment
This skill appears coherent for brand monitoring, but check two things before installing: (1) the script expects a local token service at http://127.0.0.1:18432/get_token — only run this skill if you know and trust that local service (it supplies the Bearer token used to call the remote search API); (2) the repo contains a hardcoded APP_ID/APP_KEY — treat these as public/stale secrets unless you can verify their provenance. Run the script in an isolated environment if unsure, inspect or replace the token provider with one you control, and avoid supplying any unrelated system credentials. If you need stronger assurance, request the author/source and confirm the intended AutoGLM endpoint and key lifecycle.Like a lobster shell, security has layers — review code before you run it.
latestvk972w6q80gmkd6caq6kt4ertan84vszy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.