只需要发律动文章链接,帮你抓取并保存到 ChainThink 后台
Security checks across malware telemetry and agentic risk
Overview
The skill matches its stated article-to-draft purpose, but its included script embeds a ChainThink admin token and fixed user IDs despite claiming credentials must be user-provided.
Review carefully before installing. Do not rely on the embedded ChainThink token; it should be removed and rotated, and the skill should require your own explicitly provided credential. Confirm that drafts are created only in the intended ChainThink account and only from trusted BlockBeats URLs.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may create ChainThink drafts using a specific embedded account credential rather than a credential the user supplied or approved, and the token is exposed to anyone who can read the skill files.
The script claims to read a token from TOOLS.md but actually embeds a JWT-format token and uses it with a fixed ChainThink user ID. This conflicts with the documentation and registry credential contract.
# 从 TOOLS.md 读取 token(如果存在) TOKEN="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." ... -H "x-token: $TOKEN" \ -H 'x-user-id: 51'
Remove the hardcoded token, revoke or rotate it, declare the credential requirement, and read a user-provided token from a secure configuration or environment variable with clear account scope.
If invoked with the wrong link, the agent could save unintended HTML content into the ChainThink backend as a draft.
The script uses a browser tool to read page data and curl to create a ChainThink draft. This is aligned with the stated purpose, but it is still a backend mutation triggered from a user-provided URL.
ARTICLE_URL="$1" ... openclaw browser --action=act --kind=evaluate --url="$ARTICLE_URL" ... curl -s 'https://api-v2.chainthink.cn/ccs/v1/admin/content/publish'
Use only intended BlockBeats links, add explicit domain validation, and consider confirming the extracted title/content before submitting to ChainThink.
The skill may fail or behave differently depending on local tools that are not declared in the metadata.
The included helper script depends on openclaw browser, jq, and curl, while the provided requirements list no required binaries and there is no install spec.
openclaw browser ... | jq -r '.result' ... RESPONSE=$(curl -s 'https://api-v2.chainthink.cn/ccs/v1/admin/content/publish' ...)
Declare all runtime dependencies and document whether fetch.sh is intended to be run by the agent or only used as reference.