国顺搜项目-招标监控
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches a bid-monitoring tool, but it ships real-looking Feishu credentials and fixed recipients, so running it unchanged could send results through someone else’s Feishu setup.
Before installing or running this skill, replace the Feishu app_id/app_secret and recipient targets with your own values or remove them entirely, rotate any exposed secret, and only enable the daily schedule after confirming where notifications will be sent.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing or viewing the skill receives this credential, and running the script may use a Feishu app or tenant the user did not intend.
The distributed configuration contains a Feishu app credential, while the registry requirements declare no primary credential; monitor.py uses this app_id/app_secret to request a Feishu tenant_access_token.
"app_id": "cli_a9085cd9ebf95bb5", "app_secret": "jFQ...Mcnu"
Remove shipped secrets, rotate the exposed Feishu secret, and require users to provide their own credentials via local-only config or environment variables.
If the user runs the monitor before changing config.json, bid-monitoring results could be delivered to unknown Feishu recipients.
The packaged default push configuration includes fixed Feishu recipient open_id values rather than empty or user-provided targets.
"targets": ["ou_2ce...", "ou_b8a..."], "max_items": 999
Ship empty push targets, require explicit user configuration, and display/confirm recipients before sending or scheduling notifications.
Dependency behavior may change over time or vary by environment.
The skill asks the user to install unpinned PyPI packages; this is normal for a Python scraping tool but leaves dependency versions and provenance to the user environment.
pip install requests beautifulsoup4
Install in a virtual environment and prefer pinned, reviewed dependency versions.
If registered as a scheduled task, the monitor can continue scraping and sending notifications without a fresh prompt each time.
The included script is intended for recurring scheduled execution; SKILL.md presents scheduled monitoring as optional.
cd /root/.openclaw/skills/bid-monitor python3 monitor.py >> /var/log/bid-monitor.log 2>&1
Only enable the schedule intentionally, verify the configured recipients first, and remove the scheduled task when monitoring is no longer wanted.