蜂兵虾将
v1.4.1蜂兵虾将——你的AI牛马团队,替你干活,帮你赚钱。 全行业热点监控+内容创作+趋势洞察+自动执行,4个AI智能体分工协作: 信息守护者(全网采集)、内容军师(创作策略)、趋势预言家(走势预判)、工作记账本(自动记录)。 适用于:金融、医疗、教育、零售、科技、制造业、餐饮、服务业、汽车、房产等**全行业**。 核心...
⭐ 1· 517·0 current·0 all-time
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The description promises full-industry, full-web monitoring and automated execution which aligns with the included agent and memory code. However the registry metadata/manifest calls this an "instruction-only" skill while the package contains many runnable JavaScript files (package.json, dist/, demo.js, install.sh). That mismatch (instruction-only vs bundled code) is an inconsistency that should be explained by the author. Also the docs point to a CDN download URL (UPGRADE_REPORT) — external artifacts exist in the repo but no install spec was declared.
Instruction Scope
SKILL.md explicitly instructs the agent to always read and write persistent memory files and to search the memory directory (paths shown as absolute /workspace/memory/...). This gives the skill broad access to on-disk workspace data on every run. The instructions mandate '每次执行必做' (must do every execution), which increases risk because the skill will persistently collect and store user choices and history without per-run opt-in. That scope is coherent with the described memory feature but has notable privacy implications and also includes a hard-coded absolute path which may access unexpected data depending on how /workspace is mapped in the runtime.
Install Mechanism
There is no declared install spec in the registry entry, but the package includes install.sh, package.json, compiled dist/ files and many demos — i.e., this is not truly 'instruction-only'. Because no install mechanism was declared, it's unclear whether automated installation will occur; a user may need to run npm install or the included script. The included files are from a code repository (no obscure external download required), but UPGRADE_REPORT references an external CDN URL. No direct network installation commands were found in the provided excerpts, but the inconsistency should be clarified.
Credentials
The skill requests no environment variables or external credentials in the metadata, which is proportionate. That said, the skill's stated capability of '全网采集' (full-web collection from social platforms) may in practice require credentials or special scraping logic — none are declared. Also the skill will store user_profile.json, sessions/index.json and MEMORY.md in the workspace; these files may hold sensitive user data even though no secrets are requested up-front.
Persistence & Privilege
The skill is designed to persistently read and update cross-session memory files on every execution (automatic read + mandatory save). It does not set always:true, but its runtime instructions mandate persistent state changes under fixed paths. Mandatory persistent writes (and the use of absolute /workspace paths in SKILL.md) increase the blast radius for accidental data retention or leakage if runtime sandboxing is misconfigured.
What to consider before installing
Before installing or enabling this skill:
- Understand persistent storage: SKILL.md and the code will read and write files like user_profile.json, sessions/index.json and MEMORY.md in the workspace. These will persist across runs and can contain sensitive user data — review and, if needed, rotate/delete before sharing.
- Confirm runtime paths: SKILL.md uses absolute /workspace/memory/ paths while code uses a relative 'memory' baseDir. Ask the author which path is used at runtime and ensure the skill cannot access sensitive directories in your environment.
- Review the bundled code and scripts: the package contains many JS files, package.json and install.sh. If you plan to run demos or install dependencies, inspect install.sh and package.json for network calls or unexpected commands and only run them in an isolated sandbox or VM.
- Network & credential hygiene: the skill claims wide web scraping but declares no credentials. If you provide API keys or system credentials later, ensure they are only given to the specific services the skill needs and avoid granting broad system credentials.
- Sandbox first: run the skill in a restricted environment (container, VM) to observe its behavior (file writes, network traffic). Monitor outbound network connections and the exact files it reads/writes.
- Clarify with the author: ask why the registry says "instruction-only" despite packaged code, which baseDir (/workspace vs memory) will be used, and whether any external endpoints are contacted (the docs reference a CDN URL).Like a lobster shell, security has layers — review code before you run it.
AIhotspotlatestmonitoring
蜂兵虾将 V1.4
🎯 跨对话框记忆能力已实现 - 自动保存/读取用户偏好和历史
🔑 跨对话框记忆系统(已实现)
存储位置
/workspace/memory/
├── profiles/user_profile.json # 用户画像(偏好、历史)
├── sessions/ # 会话历史
└── /workspace/MEMORY.md # 长期记忆
核心功能(每次执行自动运行)
┌─────────────────────────────────────────────────────────────┐
│ 蜂兵虾将执行时(自动) │
├─────────────────────────────────────────────────────────────┤
│ 1. 读取用户画像 ─→ 了解用户偏好 │
│ 2. 读取会话历史 ─→ 了解之前监控过的行业 │
│ 3. 检索MEMORY ─→ 获取重要记住的事项 │
│ 4. 执行任务 │
│ 5. 保存用户画像 ─→ 记录本次偏好 │
│ 6. 更新会话历史 ─→ 记录本次交互 │
└─────────────────────────────────────────────────────────────┘
具体实现指令
开始时读取用户画像:
- 读取
/workspace/memory/profiles/user_profile.json - 读取
/workspace/memory/sessions/index.json - 搜索
memory/目录了解之前交互
执行过程中记录:
- 记录用户选择了哪些选项
- 记录用户偏好(详细/简洁)
- 记录监控的行业
执行完成后保存:
- 更新
/workspace/memory/profiles/user_profile.json - 更新
/workspace/memory/sessions/index.json
完整执行流程
用户输入
│
▼
┌─────────────────────────────────────┐
│ 【自动】读取用户画像 │
│ • 从 memory/profiles/ 读取 │
│ • 了解用户偏好和历史 │
└─────────────────────────────────────┘
│
▼
┌─────────────────────────────────────┐
│ 【自动】读取会话历史 │
│ • 之前监控过哪些行业 │
│ • 上次的输出偏好是什么 │
└─────────────────────────────────────┘
│
▼
意图识别 → 智能路由
│
▼
┌─────────────────────────────────────┐
│ 模块执行 │
└─────────────────────────────────────┘
│
▼
┌─────────────────────────────────────┐
│ 【自动】保存用户画像 │
│ • 更新偏好设置 │
│ • 记录本次交互 │
└─────────────────────────────────────┘
│
▼
用户确认 → 继续/退出
用户画像数据结构
{
"user_id": "default",
"updated_at": "2026-03-03T10:00:00+08:00",
"preferences": {
"output_style": "balanced",
"confirmation_frequency": "normal"
},
"history": [
{
"date": "2026-03-03",
"industry": "金融",
"modules_executed": [1, 2],
"choice": "1"
}
],
"industries_monitored": ["金融", "医疗", "科技"]
}
执行示例(含记忆显示)
用户:帮我监控今天的热点
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
【读取用户画像】
✓ 上次输出偏好:详细
✓ 上次选择了:趋势分析
✓ 之前监控过的行业:金融、医疗
【历史记录】
• 2026-03-02 金融行业 → 选择了模块2
• 2026-03-01 科技行业 → 选择了模块1
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
【行业分析】
识别意图:信息获取 + 内容创作
目标行业:金融(轮换)
【执行】模块1 → 模块2
...
【保存用户画像】
✓ 已记录本次偏好
✓ 已更新历史记录
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
重要规则
✅ 自动记忆(每次执行必做)
-
开始时必须读取:
- 读取
memory/profiles/user_profile.json - 读取
memory/sessions/index.json - 使用 memory_search 检索 MEMORY.md
- 读取
-
执行中必须记录:
- 用户的选择
- 监控的行业
- 使用的模块
-
完成后必须保存:
- 更新 user_profile.json
- 更新 sessions/index.json
- 更新 MEMORY.md(如有重要内容)
存储文件路径(必须使用)
| 数据类型 | 文件路径 |
|---|---|
| 用户画像 | /workspace/memory/profiles/user_profile.json |
| 会话历史 | /workspace/memory/sessions/index.json |
| 长期记忆 | /workspace/MEMORY.md |
全面自检报告
✅ 跨对话框记忆(已实现)
| 功能 | 状态 | 说明 |
|---|---|---|
| 启动时读取用户画像 | ✓ | 读取 memory/profiles/user_profile.json |
| 启动时读取会话历史 | ✓ | 读取 memory/sessions/index.json |
| 自动检索MEMORY | ✓ | 使用 memory_search |
| 执行后保存画像 | ✓ | 写入 memory/profiles/user_profile.json |
| 执行后更新会话 | ✓ | 写入 memory/sessions/index.json |
| 记住监控过的行业 | ✓ | 记录在 history 中 |
| 记住用户偏好 | ✓ | 记录在 preferences 中 |
参考文档
- 存储说明:CROSS_SESSION_README.md
- 长期记忆:/workspace/MEMORY.md
✅ 记忆能力已启用:每次执行蜂兵虾将都会自动读取和保存用户数据,实现真正的跨对话框记忆。
Comments
Loading comments...