Hunter Search v1.0
v1.0.0用于调用奇安信 Hunter OpenAPI 进行资产批量导出。用户提到 Hunter、资产测绘、批量导出、task_id 下载文件等需求时优先加载本 skill。
⭐ 0· 19·0 current·0 all-time
bybigass@biglizi775
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The code and SKILL.md align with the stated purpose (calling 奇安信 Hunter OpenAPI to create/poll/download batch export tasks). However the skill does not declare required environment variables or binaries even though both are necessary: the script expects an API key (HUNTER_API_KEY or --api-key), Python 3 and the requests library. This mismatch between manifest and actual needs is an incoherence.
Instruction Scope
SKILL.md and the CLI script stick to the described workflow: encode search, create task, poll status, download result to a local file. The instructions do not request unrelated files, other credentials, or unexpected external endpoints; network calls are limited to hunter.qianxin.com.
Install Mechanism
There is no install spec (no automated install), which reduces risk, but the repository includes a requirements.txt and a Python script. The skill expects the requests package and Python 3 but the registry metadata did not declare these. The lack of an install step means a user/agent must install dependencies manually or may fail at runtime.
Credentials
The script requires an API key (HUNTER_API_KEY or --api-key) to operate, which is appropriate for the service. However the skill metadata lists no required env vars or primary credential; this omission is a configuration inconsistency that could lead users to unknowingly supply secrets in the wrong way. Also the script sends the API key as a query parameter (api-key) — functional but less private than header-based auth.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It writes downloaded export files to the current working directory, which is expected behavior for this function.
What to consider before installing
This skill's code matches its description and calls only hunter.qianxin.com, but the package metadata is missing important details. Before installing or using it: 1) Treat HUNTER_API_KEY as a sensitive secret — provide it via environment variable or a secrets manager, not checked into repositories. 2) Run the script in a controlled environment (Python 3 virtualenv) and install requests (pip install -r scripts/requirements.txt). 3) Review the script yourself (it is included) to confirm network endpoints and to ensure you are comfortable with the API-key-in-query behavior; consider modifying it to send the key in an Authorization header if preferred. 4) Because the source is unknown, test with a limited/rotated API key first and avoid granting broader credentials. 5) If you expect the skill metadata to be authoritative, ask the publisher to correct the manifest to declare HUNTER_API_KEY, Python requirement, and any install steps before widespread use.Like a lobster shell, security has layers — review code before you run it.
latest
bigass@biglizi775
DownloadQAX Hunter Use
First
- 默认走 API 模式,不使用文件上传。
- 查询语法由用户输入,脚本自动做 RFC 4648 base64url 编码。
- 批量任务流程固定为:
- 创建任务
/openApi/search/batch - 查询进度
/openApi/search/batch/{task_id} - 下载结果
/openApi/search/download/{task_id}
- 创建任务
入口脚本
- 主脚本:
scripts/hunter_batch_cli.py - 运行方式:
- AI 无交互推荐:
python3 scripts/hunter_batch_cli.py --no-interactive --api-key "$HUNTER_API_KEY" --search 'web.title="test"' --check-delay 10 --json-output
- 兼容交互:
python3 scripts/hunter_batch_cli.py
- AI 无交互推荐:
参数说明
- 必填:
api-key - 常用可选:
search、start_time、end_time、is_web、status_code、fields、assets_limit - AI 友好参数:
--no-interactive:禁止交互输入,缺参即报错--check-delay:创建任务后等待 N 秒(默认 10)再首次尝试下载--poll-interval/--poll-timeout:轮询控制--output-file:指定下载文件名--json-output:最后输出一行 JSON 结果,便于机器解析
安全注意事项
- 不要将真实
api-key写入仓库文件。 - 推荐使用环境变量注入:
HUNTER_API_KEY。 - 若必须持久化,请使用系统密钥环或加密配置文件,不要明文存储。
Comments
Loading comments...