Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Weibo Hot Search Anonymous
v1.0.3无需登录微博账号,匿名抓取微博实时热搜榜并保存为 Markdown 文件。当用户说"获取微博热搜"、"抓取热搜"、"微博热搜榜"、"不用登录查热搜"、"匿名获取热搜"、"get Weibo hot search"、"weibo trending" 时使用。
⭐ 0· 391·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the code: the TypeScript scripts open a Chromium/Edge instance via CDP, navigate to the Weibo hot-search page, scroll, extract entries and save Markdown. Requiring a browser and a JS runtime (bun/npx) is consistent with the stated purpose.
Instruction Scope
SKILL.md and the scripts instruct the agent to launch or reuse a Chrome/Edge instance, take DOM snapshots, write files, and (in troubleshooting) run pkill to terminate Chrome/Edge CDP processes automatically without prompting the user. The scripts also include logic to kill browser processes (killChromeByProfile) based on process listing. Automatic process termination and system-level pkill are scope-expanding and could terminate unrelated browser instances if misapplied.
Install Mechanism
No install spec or remote downloads; this is instruction+script based and will run locally with bun/npx. No external archive or unusual install host is used.
Credentials
No credentials requested. SKILL.md documents optional WEIBO_BROWSER_CHROME_PATH and WEIBO_BROWSER_DEBUG_PORT, which are reasonable. However, the code also reads WEIBO_BROWSER_PROFILE_DIR (not documented in SKILL.md) which is an undocumented optional env var — a minor mismatch that should be corrected.
Persistence & Privilege
The skill creates a browser profile directory (writes to disk under a default path in the user's home) and may spawn or terminate browser processes. It does not request permanent platform-wide privileges or set always: true, but its ability to kill/start browser processes and write a profile directory means it can affect the user's environment and should be run with care (preferably in a sandbox or with an explicit profile path).
What to consider before installing
This skill is mostly coherent with its stated purpose (anonymous Weibo scraping), but you should be cautious before running it on a production machine. Specific points to consider:
- The scripts will start a Chromium/Edge instance and create a browser profile directory under your home folder; data will be written there. If you want no persistent files, set WEIBO_BROWSER_PROFILE_DIR to a temporary directory or run in a disposable environment.
- The SKILL.md troubleshooting suggests forcibly killing Chrome/Edge debug processes (pkill) and the code contains logic that can kill processes found via ps. That can terminate other browser instances unexpectedly. Run first in an isolated/test environment and review/modify the pkill/kill logic if you need safer behavior.
- The code reads an undocumented env var WEIBO_BROWSER_PROFILE_DIR — set this explicitly if you want control over where files are written.
- There are no network exfiltration endpoints beyond connecting to weibo.com and the local Chrome debug port, and no credentials are requested.
If you are comfortable with these behaviors, run it in a sandbox (or set WEIBO_BROWSER_PROFILE_DIR and WEIBO_BROWSER_CHROME_PATH) and review the scripts locally before invoking them.scripts/weibo-hot-search.ts:119
Shell command execution detected (child_process).
scripts/weibo-utils.ts:52
Shell command execution detected (child_process).
scripts/weibo-utils.ts:35
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97ch444f6a5j2r50dbhcsnzb182s8vr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Any binbun, npx