ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Baidu Hot Real

v1.3.0

百度热搜榜实时抓取 - 直接从 top.baidu.com/board 获取真实热榜数据

1· 146·0 current·0 all-time
byTitans@iph0n3
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to fetch and parse Baidu hot lists, and the bundled scripts do exactly that. However the package/registry metadata lists no required binaries while the runtime clearly invokes python3 and/or the 'openclaw web_fetch' tool. A legitimate deploy would normally declare python3 and the web_fetch tool as required. This mismatch is an incoherence to be aware of.
!
Instruction Scope
SKILL.md and scripts restrict network access to top.baidu.com and the code parses only HTML input; there are no reads of ~/.ssh, .env, or other sensitive files. Still, the declared allowed-tools (web_fetch, Bash) omit python3 even though the instructions show running python3 scripts; baidu_fetch.py also expects HTML on stdin. The instructions rely on external tooling not declared in requirements.
Install Mechanism
No install spec (instruction-only) — lowest install risk and nothing is downloaded at install time. The repository includes local scripts (Python and Bash) rather than fetching remote code. This is generally low risk, but running the scripts requires local tools (python3, openclaw web_fetch) which are not declared.
Credentials
The skill does not request environment variables, credentials, or config paths. The scripts do not appear to read or transmit secrets and they only target the hardcoded top.baidu.com domain.
Persistence & Privilege
always is false and the skill does not request elevated or persistent platform privileges. It does write a temporary file under /tmp during execution (cleaned up with trap), which is proportional to its purpose.
What to consider before installing
This skill's code matches its stated purpose (scraping and parsing https://top.baidu.com). Before installing or running it: 1) Verify you have Python 3 and the openclaw web_fetch tool available — the skill does not declare these but requires them at runtime. 2) Inspect or run the scripts in a sandbox/network-monitored environment the first time to confirm only top.baidu.com is contacted. 3) Note minor metadata inconsistencies (author strings differ between files and package.json lists 'python3' as an npm dependency, which is unusual). 4) If you will allow autonomous agent invocation, consider the usual caution: an agent with network access can fetch arbitrary pages if instructions/tools change — ensure you trust the skill source or run it with restricted network access.

Like a lobster shell, security has layers — review code before you run it.

latestvk977qzd6prqbyk5v4ncr6fdaj983bbyc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments