公众号综合实力榜
ReviewAudited by ClawScan on May 14, 2026.
Overview
The skill broadly matches its ranking-report purpose, but it fetches data with HTTPS certificate checks disabled and makes subscription claims users should verify.
Use this skill only if you are comfortable with it contacting the third-party API host for ranking data. Ask the publisher to enable normal HTTPS certificate verification before trusting results, and confirm how any claimed subscription or scheduled push can actually be managed or cancelled.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network attacker or misconfigured proxy could tamper with ranking data returned to the agent, causing the user to receive false rankings or reports.
The main ranking fetcher connects to the fixed HTTPS API but explicitly disables hostname and certificate validation; the static scan reports the same pattern in the HTML generator.
context = ssl.create_default_context()
context.check_hostname = False
context.verify_mode = ssl.CERT_NONEKeep default TLS verification enabled, require valid certificates, and apply the same fix to both data-fetching and HTML-generation scripts.
Users may believe an ongoing push subscription is active even though the provided skill files do not demonstrate the mechanism.
The workflow tells the agent to confirm a successful recurring subscription, while the supplied artifacts do not show how that subscription is stored, scheduled, or cancelled.
用户回复"订阅日榜" → 回复:"您已成功订阅日榜,将在每日17:30准时推送🌟~"
Verify whether the hosting platform implements subscriptions, and require clear subscribe/unsubscribe behavior before relying on scheduled pushes.