Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
中文全平台热搜聚合
v1.0.0中文全平台热搜聚合。一键获取知乎、微博、百度、B站、抖音、头条6大平台热搜榜单。 中文优先,无需API Key,开箱即用。 当用户说"热搜"、"热点"、"今日热点"、"什么火"、"热搜榜"、"全平台热搜"、"趋势"时触发。 Keywords: 热搜, 热榜, 热点, 趋势, trending, hot searc...
⭐ 0· 34·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (aggregating Chinese platform hot searches) aligns with the included script and README. The script contains fetch functions for Zhihu, Weibo, Baidu, Bilibili, Douyin and Toutiao and exposes CLI flags described in SKILL.md — no unrelated credentials, binaries, or platform access are requested.
Instruction Scope
SKILL.md instructs running scripts/fetch_trends.py and using flags; the script only performs HTTP(S) requests to public platform endpoints and formats results. Nothing in the instructions asks the agent to read unrelated local files or secrets. However, the script explicitly implements a two-stage SSL strategy (falling back to an unverified SSL context if verification fails), which weakens TLS guarantees and could allow man-in-the-middle interception of network responses.
Install Mechanism
There is no install spec and the skill is instruction-only with a single Python script. No packages are downloaded at install time and nothing is written to non-standard system locations.
Credentials
The skill declares no required environment variables or credentials and the code does not read secrets or config paths. Network requests go to public platform APIs consistent with the stated purpose.
Persistence & Privilege
The skill does not request persistent 'always' inclusion and does not modify other skills or global agent settings. It runs as a simple script and does not store tokens or elevate privileges.
Assessment
This skill appears to be what it says: a script that scrapes public hot-search endpoints and prints or emits JSON. Before installing or running: (1) review the code yourself — note the intentional SSL fallback that disables certificate verification on failure (this is a transport-security risk; consider removing fallback or running where TLS can be validated); (2) be aware the script makes outbound network requests to public Chinese platforms (may be blocked or return different content depending on region/cookies); (3) run it in an isolated environment if you have a high security requirement; and (4) if you plan to use or integrate its output in production, consider hardening the HTTP client (strict TLS, retries/limits, and error handling) and verifying each target endpoint URL for correctness (some endpoints/params in the script look brittle).Like a lobster shell, security has layers — review code before you run it.
chinesevk9737jnjq7tapr7kqmcgs8nfdn84pz9mhot-searchvk9737jnjq7tapr7kqmcgs8nfdn84pz9mlatestvk9737jnjq7tapr7kqmcgs8nfdn84pz9mtrendingvk9737jnjq7tapr7kqmcgs8nfdn84pz9mweibovk9737jnjq7tapr7kqmcgs8nfdn84pz9mzhihuvk9737jnjq7tapr7kqmcgs8nfdn84pz9m
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔥 Clawdis