Security audit
Sentiment Analysis Compass
Security checks across malware telemetry and agentic risk
Overview
The skill largely matches its stated purpose (scraping Chinese social networks, local storage, GLM-based sentiment, Feishu/SMTP alerts) but includes external license verification and multiple network callbacks that a user should explicitly understand and trust before installing.
What to consider before installing: - Functionality: this tool scrapes public content from Chinese social platforms, analyzes sentiment using a GLM-4 service, stores data locally (~/.sentiment-compass) and can push alerts via Feishu webhook or SMTP. - Secrets: you will be asked to supply a GLM API key, and possibly Feishu/SMTP credentials. The skill will send any supplied API key to https://api.yk-global.com/v1/verify for license verification — only provide keys you are willing to share with that host. - Network callbacks: besides the target platforms, the code calls open.bigmodel.cn (GLM) and a fixed verification endpoint (yk-global). If you need to audit or limit outbound traffic, run this in an isolated environment or sandbox first. - Legal/ToS: scraping public sites may violate platform terms — confirm acceptability for your use case. - Code review: source is included. If you plan to use it, inspect scripts/sentiment.py (especially network and subprocess usage) and run in a disposable environment. Prefer creating a dedicated, limited-capability account for testing rather than using production credentials. - If you don't trust the unknown upstream host (yk-global.com) or the repository origin, treat the verification/telemetry behavior as a potential data exposure risk and do not provide sensitive keys.
VirusTotal
No VirusTotal findings
Static analysis
No suspicious patterns detected.
