蜂兵虾将
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is not clearly malicious, but it asks for persistent profiling and background or scheduled automation without enough visible opt-in, scoping, or retention controls.
Install only if you want a persistent, memory-based monitoring assistant. Before using it, confirm whether scheduled/background reports are actually enabled, disable or bound them if not needed, avoid entering sensitive business/medical/financial details unless you accept local retention, and review the npm/JavaScript files before running the demo commands.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may prepare or deliver reports and gather information without a fresh user prompt, which can consume resources, create unwanted records, or act outside the user's immediate intent.
The skill tells the agent to operate on a schedule and not require the user to watch it, which implies autonomous/background behavior beyond a single explicit user request.
自动执行不用盯。每天上午10点、下午4点自动打报告
Require explicit opt-in for any schedule or background work, show the exact task scope before each run, and provide a clear stop/disable mechanism.
Information about user habits, decisions, preferences, and workflows could persist across sessions and influence future confirmations or recommendations.
The skill explicitly enables user profile tracking and adaptive behavior, and it states that workflow memory may be retained permanently.
profile_tracking: true, adaptive_confirmation: true ... module4: { name: "工作流沉淀系统", layer: "L3", retention: "永久" }Only use it with information you are comfortable storing, and require clear controls for viewing, deleting, disabling, or limiting memory retention.
Search results or extracted pages could be inaccurate, biased, or adversarial, and may affect reports or stored memories.
The skill instructs the agent to use broad web search and website extraction. This is expected for hotspot monitoring, but it exposes the agent to untrusted web content.
使用web_search进行多平台搜索 - 使用extract_content_from_websites提取详细内容 - 每次搜索至少覆盖3个平台
Treat generated trend reports as drafts, verify important claims from authoritative sources, and avoid letting retrieved web content override user instructions.
If a user follows the README manually, code and dependencies will run on their machine.
The README directs users to install dependencies and run local JavaScript demos. This is normal for a Node-based demo, but it is still local code execution and is not represented as a registry install spec.
# 安装 npm install # 运行演示 node demo.js
Review package files and scripts before running npm install or node commands, especially because the registry lists the source as unknown.