Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
social-media-analysis
v1.0.0社交媒体舆情数据分析工具。从飞书多维表格读取 URL,下载媒体,分析内容,生成摘要。
⭐ 0· 77·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's name/description (Feishu bitable → download media → produce summaries) align with the included scripts. However the registry metadata declares no required env vars or binaries while the SKILL.md and scripts clearly require APP_ID/APP_SECRET/BITABLE_URL, optionally XHS_COOKIE, and external tools (yt-dlp, ffmpeg, Playwright, node). That mismatch (metadata says nothing required, runtime asks for credentials and binaries) is an incoherence.
Instruction Scope
SKILL.md and the included scripts instruct the agent to fetch tenant access tokens (APP_ID/APP_SECRET) and call Feishu APIs (expected), but they also fetch content from many external domains (weibo, m.weibo.cn, xiaohongshu, Douyin/Toutiao/Bilibili) and run local downloads and media-processing (ffmpeg, yt-dlp, Playwright). The skill's declared network permission only lists open.feishu.cn, yet runtime will contact many other hosts. The instructions also call an unspecified image-analysis command ('image frame_001.jpg') and run Playwright browser automation — both grant broad discretion and network/file access. These behaviors are coherent with the stated purpose but the omitted network host declarations and unspecified image-analysis step are concerning and should be explicitly reviewed/approved.
Install Mechanism
There is no install spec (instruction-only), so nothing would automatically be downloaded/installed by the platform. That lowers install-time risk. However the scripts assume presence of several external binaries (node, yt-dlp, ffmpeg, Playwright) and will write downloaded media to disk; those dependencies are not declared in the registry metadata. Because install is manual, ensure required tools are installed from trusted sources before running.
Credentials
The runtime requires sensitive Feishu credentials (APP_ID/APP_SECRET) and optionally cookies for Xiaohongshu (XHS_COOKIE). Those are proportionate to a skill that reads and updates a Feishu bitable and fetches gated content, but the registry metadata did not list them as required — an information gap. Confirm you are comfortable providing Feishu app credentials (they grant tenant-level API access) and any site cookies; minimize scopes and use a dedicated account/app if possible.
Persistence & Privilege
The skill is not marked always:true and does not request persistent platform-level privileges. It will run as invoked and update records in the target Feishu bitable (expected behavior). Autonomous invocation is allowed (platform default) but not combined here with other high-risk flags.
What to consider before installing
This skill appears to do what it says (read Feishu bitable, download social-media media, extract frames, and generate short analyses), but it has several practical and security gaps: (1) The registry metadata does not declare the environment variables and command-line tools the scripts actually use — APP_ID, APP_SECRET, BITABLE_URL, optional XHS_COOKIE, and binaries like node, yt-dlp, ffmpeg, and Playwright are required at runtime. (2) Although permissions list only open.feishu.cn, the scripts make many outbound requests to social-media domains and will download files to disk. Before installing, verify you trust the source and review the full scripts locally. Prefer running in an isolated environment (dedicated VM/container) and use a Feishu app with minimal scope (rotate/revoke credentials after testing). If you need tighter control, request the publisher to update registry metadata to list required env vars, required binaries, and all outbound hosts, and to explain the unspecified 'image' analysis step and any external model endpoints it may call.scripts/parse-bilibili.js:59
Shell command execution detected (child_process).
scripts/parse-xiaohongshu.js:234
Shell command execution detected (child_process).
scripts/run_backfill.js:14
Shell command execution detected (child_process).
scripts/backfill-content-analysis-by-source.js:23
Environment variable access combined with network send.
scripts/backfill-weibo-content-analysis.js:14
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk9730far0fvjxy571q16vh7exn83kp0s
License
MIT-0
Free to use, modify, and redistribute. No attribution required.