hot-china
PassAudited by ClawScan on May 15, 2026.
Overview
The provided artifacts show a purpose-aligned skill that runs local Node.js scripts to fetch public Chinese ranking and news data, with no evidence of credential theft, local file access, persistence, or destructive behavior.
This skill appears safe for its stated purpose: it fetches public ranking/news data and returns JSON. Before installing, make sure you are comfortable with it running local Node.js scripts that contact third-party websites, and note that the Node.js runtime requirement is not declared in the registry metadata.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When used, the skill will contact public third-party websites, which may see normal request metadata such as IP address and user agent.
The skill runs code that contacts external public web endpoints. This is disclosed and central to the skill's real-time hot-data purpose, and the provided code does not include local data upload or credential use.
const res = await fetch('https://api.weibo.cn/2/guest/search/hot/word?from=10DA093010&c=iphone', {Use it only when you want live public ranking data, and be aware it depends on third-party sites and their availability or terms.
The skill may fail if Node.js 18+ is not available, and users must rely on the included JavaScript source rather than an install-managed dependency declaration.
The documentation requires a local Node.js runtime, while the registry requirements list no required binaries. This is an under-declared prerequisite, not evidence of malicious behavior.
所有脚本通过 `node` 命令运行,输出 JSON 到标准输出。需要 Node.js 18+(内置 fetch)。
Ensure Node.js 18+ is installed before use; the publisher should declare the Node runtime requirement in metadata.