Back to skill

Security audit

Sentiment Analysis Compass

Security checks across malware telemetry and agentic risk

Overview

The skill largely matches its stated purpose (scraping Chinese social networks, local storage, GLM-based sentiment, Feishu/SMTP alerts) but includes external license verification and multiple network callbacks that a user should explicitly understand and trust before installing.

What to consider before installing: - Functionality: this tool scrapes public content from Chinese social platforms, analyzes sentiment using a GLM-4 service, stores data locally (~/.sentiment-compass) and can push alerts via Feishu webhook or SMTP. - Secrets: you will be asked to supply a GLM API key, and possibly Feishu/SMTP credentials. The skill will send any supplied API key to https://api.yk-global.com/v1/verify for license verification — only provide keys you are willing to share with that host. - Network callbacks: besides the target platforms, the code calls open.bigmodel.cn (GLM) and a fixed verification endpoint (yk-global). If you need to audit or limit outbound traffic, run this in an isolated environment or sandbox first. - Legal/ToS: scraping public sites may violate platform terms — confirm acceptability for your use case. - Code review: source is included. If you plan to use it, inspect scripts/sentiment.py (especially network and subprocess usage) and run in a disposable environment. Prefer creating a dedicated, limited-capability account for testing rather than using production credentials. - If you don't trust the unknown upstream host (yk-global.com) or the repository origin, treat the verification/telemetry behavior as a potential data exposure risk and do not provide sensitive keys.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.