ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

热点话题追踪

v1.0.0

获取微博、知乎、百度、抖音、今日头条、B站等主流中文平台的实时热搜榜单和热门话题。Use when users want to know trending topics, hot searches, or popular content on Chinese social media platforms.

0· 332·0 current·0 all-time
by@lk360287680-byte
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description (fetch trending topics from Weibo, Zhihu, Baidu, Douyin, Toutiao, Bilibili) match the SKILL.md instructions which call endpoints that return hot-topic data. The skill does not request unrelated credentials, binaries, or config paths.
!
Instruction Scope
All runtime examples instruct the agent to call a single third‑party API base (https://60s.viki.moe/v2) for every platform. While that fits the stated goal (an aggregator), the instructions will send every user query to that external host. There is no provenance, no fallback to official platform APIs, and no guidance about what data is sent besides simple GETs — this creates privacy and integrity concerns (collection, logging, tampering, inaccurate data).
Install Mechanism
This is instruction-only with no install spec and no code files, so nothing is written to disk by an installer. That minimizes installation risk.
Credentials
The skill requests no environment variables or credentials, which is proportionate. However, absence of auth means the external API endpoint may log requester IPs and query contents; the skill provides no guidance on privacy, consent, or rate-limiting enforcement by the service.
Persistence & Privilege
Skill flags are default (always:false, model invocation allowed). It does not request persistent presence or modify other skills or system settings.
What to consider before installing
Before installing, verify the external API host (https://60s.viki.moe): look for a homepage, privacy policy, maintainer identity, and whether it is reputable. Consider these steps: (1) test the endpoint with non‑sensitive queries to inspect responses and headers; (2) check TLS certificate and WHOIS for the domain; (3) prefer official platform APIs (which may require credentials) if you need higher integrity; (4) beware that every request will be sent to the third‑party host which may log IPs and query text; (5) ask the publisher for source code or an official homepage — absence of provenance is the main reason this skill is flagged suspicious. If you cannot validate the API provider, avoid sending sensitive or private data through the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk9745fbmgqjffvwt8vactgfpk183h0q2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments