Topic Selection Expert
Security checks across malware telemetry and agentic risk
Overview
The skill appears aligned with its hot-topic monitoring purpose, but it needs Feishu credentials, uses external APIs, stores local history, and can run as a background process.
Before installing, confirm you are comfortable giving it Feishu table-write access and any Telegram destination it uses. Configure least-privilege credentials, run it manually once before enabling background/scheduled operation, review where local data is stored, and inspect the full source/dependencies because the provided review context has unknown provenance and some file contents were omitted or truncated.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill with these values lets it create topic records in the configured Feishu table.
The skill needs Feishu app credentials and table identifiers to create records in a Feishu bitable. This is expected for the stated workflow, but it grants account/workspace authority.
export FEISHU_APP_SECRET='你的飞书应用Secret' ... export FEISHU_TABLE_ID='飞书多维表格TableID' ... 通过飞书 API 批量写入多维表格
Use a least-privilege Feishu app limited to the intended table, keep secrets in environment variables, and rotate credentials if shared.
A run may add multiple records to the configured Feishu workspace without per-record approval.
The pipeline can batch-create remote Feishu records automatically for scored topics. This is core functionality, but it is a remote mutation users should understand before scheduling.
url = f"{FEISHU_API}/bitable/v1/apps/{APP_TOKEN}/tables/{TABLE_ID}/records/batch_create" ... httpx.post(url, headers=headers, json={"records": batch}, timeout=30)Run the pipeline manually first, confirm the table ID and score thresholds, and keep a cleanup/review process for unwanted records.
If started successfully, it may keep running, logging, fetching data, and performing configured workflow actions until stopped.
The start script launches a background process and stores a PID/log file. It is not hidden and a stop script is provided, but it can continue after the command returns.
nohup python3 -u main.py --daemon >> "$LOG_FILE" 2>&1 & echo $! > "$PID_FILE"
Use the provided status/stop scripts, and do not enable daemon or scheduled runs until credentials and output destinations are verified.
Local topic history and preference signals can persist beyond a single request.
The skill persists topic history, raw source data, and skip/generation status in a local SQLite database for reuse across runs.
def __init__(self, db_path="~/.openclaw/workspace-bijian/data/topics.db") ... raw_data TEXT ... skipped_topics
Review or delete the database if you do not want long-term topic history, and avoid placing sensitive manual data into topic fields.
You may need to verify the publisher and dependencies yourself before running the included scripts.
The skill includes many code files but has limited provenance information and no declared install/dependency contract. This is not malicious by itself, but it reduces auditability.
Source: unknown; Homepage: none; Install specifications: No install spec — this is an instruction-only skill.
Install only if you trust the source, review the full bundled code, and prefer pinned dependency installation from trusted package sources.