CN Trends Aggregator
v1.0.0中文+全球热榜聚合器。一键获取百度热榜、今日头条、V2EX、Hacker News、GitHub 热门新项目。Use when: user asks about trending topics, hot searches, what's popular, today's hot news, tech trends...
⭐ 0· 467·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (aggregating Baidu, Toutiao, V2EX, Hacker News, GitHub trends) align with the provided Python script which implements fetchers for those sites. One inconsistency: the script uses the curl command-line tool (via subprocess) to perform HTTP requests, but the skill metadata declares no required binaries.
Instruction Scope
SKILL.md only instructs running the included Python script with optional flags (sources, limit, format, proxy). The runtime instructions match the script's behavior and do not ask the agent to read unrelated files, access hidden endpoints, or exfiltrate secrets. Network calls are expected for the stated functionality.
Install Mechanism
There is no install spec (instruction-only skill + bundled script), so nothing is downloaded or written during install. This is the lower-risk model and consistent with the skill's purpose.
Credentials
The skill requires no credentials or environment variables and the script does not read secrets. Note: it calls the public GitHub Search API unauthenticated (subject to rate limits) and supports an arbitrary --proxy value; supplying an untrusted proxy could expose fetched traffic to that proxy.
Persistence & Privilege
The skill is not marked always:true and does not request elevated or persistent system privileges. Autonomous invocation is allowed by default (platform normal) but there is no evidence the skill abuses that.
Assessment
This skill appears to do exactly what it claims: fetch trending items from the listed sources and format them. Before installing or running it: (1) be aware the included Python script uses the curl binary via subprocess — ensure curl is available or update the metadata to declare it; (2) the script makes network requests to public APIs/pages (Hacker News, GitHub, V2EX, Baidu, Toutiao); don't pass an untrusted proxy URL since that proxy would see the requests and responses; (3) GitHub calls are unauthenticated and may be rate-limited — if you expect heavy use, consider adding a token and updating the code/metadata; (4) review the script yourself if you have any concern about outbound network access. If you want a small improvement: replace curl subprocess calls with Python HTTP (requests/urllib) or update the skill metadata to list curl as a required binary.Like a lobster shell, security has layers — review code before you run it.
aggregatorvk975kq7yaweyvqgqpt0nb60nv583w4dnbaiduvk975kq7yaweyvqgqpt0nb60nv583w4dngithubvk975kq7yaweyvqgqpt0nb60nv583w4dnhackernewsvk975kq7yaweyvqgqpt0nb60nv583w4dnhotvk975kq7yaweyvqgqpt0nb60nv583w4dnlatestvk975kq7yaweyvqgqpt0nb60nv583w4dnnewsvk975kq7yaweyvqgqpt0nb60nv583w4dntrendingvk975kq7yaweyvqgqpt0nb60nv583w4dntrendsvk975kq7yaweyvqgqpt0nb60nv583w4dnv2exvk975kq7yaweyvqgqpt0nb60nv583w4dn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.