读书每日推荐
PassAudited by VirusTotal on May 5, 2026.
Overview
Type: OpenClaw Skill Name: nexus-reader Version: 1.0.0 The nexus-reader skill is a legitimate tool for scraping book rankings from WeChat Reading and generating HTML/PNG recommendation cards. The Python script (scripts/reader.py) performs standard web scraping and file operations within a local data directory, and the instructions in SKILL.md clearly define a benign workflow for content creation and rendering without any evidence of malicious intent or data exfiltration.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
PNG generation may require additional local packages that are not pinned or declared in the install metadata.
Optional PNG generation requires installing Playwright/Chromium, but the registry shows no install spec or declared dependencies. This is purpose-aligned, but users should verify package provenance before installing.
print("[错误] 需要安装 playwright: pip install playwright && playwright install chromium")Install optional dependencies only from trusted package sources, and consider adding an explicit, pinned install spec.
Opening a generated card from untrusted input could display unexpected content or unsafe links.
Card fields are inserted into the HTML template by raw string replacement. This is normal for rendering, but if a card JSON or scraped field were untrusted, unexpected markup, scripts, or unsafe links could be rendered when the HTML is opened.
html = html.replace("{{" + key + "}}", str(value))Use trusted/generated card JSON only, and escape HTML plus validate URL fields before rendering or sharing cards.
If enabled, the recommendation workflow may keep running on a schedule.
The skill documents an optional recurring automation for daily recommendations. It is user-directed and purpose-aligned, but it is persistent behavior that continues after setup.
当用户要求每日定时推送读书推荐时,创建 automation(recurring)
Only enable the recurring push when desired, confirm the schedule and delivery target, and disable it when no longer needed.