Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
OpenClaw行业情报官
v1.0.0行业情报官 - 定时采集 GitHub Trending、X(Twitter)、知乎、36kr、掘金等平台热点,AI 摘要后推送到指定渠道。集成 fxtwitter API 和 RSSHub。
⭐ 0· 75·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The stated purpose (periodic collection from GitHub, X/fxtwitter, Zhihu, RSS sources, AI summarization, and pushing to webhooks/email) is coherent with the runtime instructions. However the skill metadata claims no required binaries or env vars while SKILL.md clearly expects tools (curl, python3, xmllint, openclaw CLI, fxtwitter) and many environment variables (webhooks, SMTP creds, FXTWITTER_API_TOKEN). That mismatch is unexpected and suggests the metadata is incomplete.
Instruction Scope
SKILL.md instructs the agent to fetch external feeds, parse HTML/RSS, call fxtwitter API, generate AI summaries, write cache/logs/summaries under memory/intelligence, and push to external endpoints (Feishu/DingTalk/Telegram/SMTP). These actions are consistent with the stated purpose, but they require network access, filesystem writes, and credentials. The instructions assume an 'openclaw' CLI and local directories—neither are declared in the metadata. The skill does not request unrelated secrets, but it does require sensitive push/SMPP/SMTP tokens and will persist sent content locally.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing will be automatically downloaded or written by the skill itself. That reduces installation risk, but also increases the need for accurate metadata since the skill expects external binaries and an environment that may not exist.
Credentials
SKILL.md lists multiple sensitive environment variables (FXTWITTER_API_TOKEN, FEISHU_WEBHOOK, DINGTALK_WEBHOOK, TELEGRAM_BOT_TOKEN/CHAT_ID, SMTP credentials) which are reasonable given multi-channel push capability. However the registry metadata lists no required env vars—this discrepancy is a proportionality/visibility problem. Before installing, confirm only minimal, dedicated credentials are used (e.g., bot tokens with limited scope, a disposable SMTP account).
Persistence & Privilege
The skill does not request always:true and will not force inclusion in all runs. It instructs storing cache, logs, and summaries under memory/intelligence which is normal for this use case. Scheduling (openclaw cron add) is part of its design but assumes the platform CLI supports cron management.
What to consider before installing
This skill appears to do what it says (collect feeds, summarize, push), but the SKILL.md and the registry metadata disagree. Before installing: 1) Confirm that the host has the required tools (curl, python3, xmllint, the 'openclaw' CLI or equivalent) and that those requirements are declared by the skill author. 2) Provide only dedicated, minimal-scope credentials (separate bot/webhook tokens and a disposable SMTP account) and avoid using high-privilege or personal credentials. 3) Verify where data will be written (memory/intelligence/*) and ensure you are comfortable with local persistence of scraped content and logs. 4) Confirm the legal/terms-of-service implications of scraping each source (GitHub/X/Zhihu) and respect rate limits. 5) Ask the publisher to update the registry metadata to list required binaries and env vars so you can make an informed install decision. If you cannot verify these points, run the skill in a sandboxed environment or decline installation.Like a lobster shell, security has layers — review code before you run it.
intelligencevk973n2xr5gbyq7p6wwdqwskays83hhdblatestvk973n2xr5gbyq7p6wwdqwskays83hhdbmonitoringvk973n2xr5gbyq7p6wwdqwskays83hhdbnewsvk973n2xr5gbyq7p6wwdqwskays83hhdbopenclawvk973n2xr5gbyq7p6wwdqwskays83hhdb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.