Trend Watcher
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or joke repository description could appear in the trend report and should not be treated as instructions.
The tool fetches public GitHub Trending HTML and prints repository descriptions into the report, so untrusted public text can enter the agent/user context.
const html = await this.httpRequest(url, 8000); ... console.log(` 📝 ${p.description.substring(0, 80)}`);Use the report as informational data only; do not let repository descriptions override user intent or trigger automatic actions.
Users have less context for deciding whether to trust updates or authorship of the skill.
The skill has limited provenance information, which makes it harder for a user to independently verify origin or maintenance history.
Source: unknown; Homepage: none
Prefer installing from skills with a known source or review the included artifacts before use.
Saved trend/bookmark data may remain in the OpenClaw workspace and influence later review or exploration tasks.
The tool persists bookmark data in a fixed local workspace file, which can later be reused as context.
this.workspacePath = '/home/vken/.openclaw/workspace'; this.bookmarksFile = path.join(this.workspacePath, 'trend-bookmarks.md'); ... fs.writeFileSync(this.bookmarksFile, JSON.stringify(bookmarks, null, 2));
Review or clear the bookmark file if you do not want old trend data reused, and verify the storage path is appropriate for your environment.
A user may expect bookmarks to be written to a chosen file, but they may instead be stored in the skill's fixed workspace file.
The documentation implies the user can choose a bookmark file, while the visible code uses a hard-coded bookmark file path, which may make persistence location less clear.
`--bookmark, -b`: File to save interesting projects
Check the actual bookmark output path before relying on the documented `--bookmark` behavior.