Chill Beijing
v1.4.0北京下班及周末放松推荐助手 v1.4.0。工作日推荐电影、脱口秀、演出;周末推荐City Walk、京郊游、社交活动、演出。实时抓取猫眼/大麦/美团/小红书数据。
⭐ 0· 69·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (Beijing leisure recommendations) align with included code: data-fetcher scrapes 猫眼/大麦/美团/小红书 and wttr.in for weather, and generate-recommendations formats suggestions. Declared dependency on puppeteer is expected for the described browser scraping.
Instruction Scope
SKILL.md instructs running the generate-recommendations script and documents use of Puppeteer and 60s timeouts — that matches the code. The instructions do not ask for unrelated files/credentials or to exfiltrate data. Minor mismatch: SKILL.md references a scripts/formatters.mjs file which is not present in the file manifest; also many recommendation texts in generate-recommendations.mjs are static content rather than purely derived from live scrapes (not a security issue but an implementation note).
Install Mechanism
There is no install spec in the registry (instruction-only), but package.json lists puppeteer, which will cause npm to fetch large Chromium artifacts when dependencies are installed. No suspicious third-party download URLs are present in the repo files, but running npm install will trigger remote downloads (normal for puppeteer).
Credentials
The skill requests no environment variables, no credentials, and accesses only public websites (wttr.in and the listed Chinese event sites). There is no evidence of secret exfiltration or access to unrelated services or config paths.
Persistence & Privilege
Flags show always:false and default autonomous invocation allowed (normal). The package does not request permanent presence, does not modify other skills, and does not require special agent-level privileges.
Assessment
This package appears coherent with its stated purpose, but before installing you should: (1) verify the source/origin because the registry metadata lacks a homepage; (2) audit and pin dependencies (puppeteer ^22.0.0) and run npm install in an isolated environment — puppeteer will download a Chromium binary and headless browsers open network access and can be large; (3) note the SKILL.md mentions scripts/formatters.mjs which is missing — ask the author or check the full source to ensure nothing was omitted; (4) run the skill in a sandbox/container (or non-root) because the code launches Chromium with --no-sandbox (common but reduces sandbox protections); (5) if you need to run on a shared system, consider network restrictions or a proxy to limit where the headless browser can connect. If any of these points are unacceptable or the author/source can't be verified, treat the package cautiously.Like a lobster shell, security has layers — review code before you run it.
beijingvk978ngtc2t9vtfhgm23n237745844ws8entertainmentvk978ngtc2t9vtfhgm23n237745844ws8latestvk978ngtc2t9vtfhgm23n237745844ws8puppeteervk978ngtc2t9vtfhgm23n237745844ws8recommendationsvk978ngtc2t9vtfhgm23n237745844ws8scrapingvk978ngtc2t9vtfhgm23n237745844ws8weekendvk978ngtc2t9vtfhgm23n237745844ws8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.