Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Opencli Content Hunter
v1.4.0基于 opencli 的多平台内容捕手技能。抓取全球热门内容、趋势热点、搜索关键词相关内容。**每当用户提到抓多平台、搜全网、全网热点、多平台抓取时必须触发此技能。** 支持65+平台。每次执行时主动让用户确认平台范围和登录意愿,之后用户可随时说"调整平台"重新选择。触发词:多平台抓取、全网热点、搜全网、open...
⭐ 0· 90·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The listed requirements (opencli + Chrome extension + logging into target sites) match the stated purpose of multi-platform scraping. No unrelated credentials or binaries are requested.
Instruction Scope
Instructions explicitly require installing and loading a Chrome extension in developer mode and reusing the browser login state for 65+ platforms. That scope goes beyond running a CLI: it asks the user to expose browser authentication (cookies/sessions) which can materially increase risk (credential/cookie exposure). The SKILL.md also enforces automatic triggering on many user phrases, which could cause surprising activations.
Install Mechanism
No automated install spec in the registry (instruction-only), but SKILL.md asks the user to run `npm install -g @jackwener/opencli` (npm global install can execute install scripts) and to download/load an unpacked extension from GitHub releases. GitHub releases is a normal host, but loading an unpacked extension in developer mode bypasses browser-store review and increases risk.
Credentials
The skill requests no environment variables or declared credentials. However it requires users to sign into many third-party sites in Chrome and to allow the extension to access those sessions — this is proportionate to scraping logged-in content but is sensitive and should be explicitly justified and constrained.
Persistence & Privilege
always is false and the skill is user-invocable; model invocation is allowed (default). The SKILL.md's instruction that the skill 'must trigger' on many phrases increases behavioral reach (frequency of activation) but does not change system-level persistence. This combination raises potential for unexpected or frequent activations.
What to consider before installing
This skill does what it says (scrapes many platforms) but asks you to: (1) globally install an npm package (which can run install-time scripts), and (2) download and load an unpacked Chrome extension that will reuse your browser login state for many sites. Those two steps create supply-chain and credential-exposure risks. Before installing or using it: verify the opencli npm package source and review its repository; inspect the Chrome extension's code and requested permissions (or prefer an extension from the official store); consider using a dedicated browser profile or disposable account for logged-in scraping; avoid logging into sensitive personal or work accounts in that profile; and confirm you are comfortable with the skill auto-trigger rules (you may want to disable automatic triggers or require an explicit confirmation step). If possible, ask the author for signed releases, a link to the opencli package repo and extension source, and details about what data the extension transmits off-device.Like a lobster shell, security has layers — review code before you run it.
contentvk97ejk7c06tvdf9wm9yezyxw29841n62latestvk970fkyq3gs1qhkm5sagg234gn840h1cnewsvk97ejk7c06tvdf9wm9yezyxw29841n62scrapervk97ejk7c06tvdf9wm9yezyxw29841n62social-mediavk97ejk7c06tvdf9wm9yezyxw29841n62trendingvk97ejk7c06tvdf9wm9yezyxw29841n62
License
MIT-0
Free to use, modify, and redistribute. No attribution required.