ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Hot Topics

v1.1.0

Get real-time trending topics and hot searches from major Chinese social media platforms including Weibo, Zhihu, Baidu, Douyin, Toutiao, and Bilibili. Use wh...

0· 327·9 current·9 all-time
byNever@neverchenx
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (fetch trending topics from Chinese platforms) matches the instructions (GET requests to platform-specific endpoints). Using an aggregator API is a plausible implementation choice, but the aggregator domain (60s.viki.moe) is not a known official provider and there is no homepage or source repository to verify intent.
Instruction Scope
SKILL.md instructs only simple GET requests to the listed endpoints and provides usage examples (Python requests, curl). The instructions do not read local files, require credentials, or request unrelated env vars. However every call is made to the single third‑party base URL, meaning user queries, request metadata, or derived results could be logged by that external host.
Install Mechanism
No install spec and no code files — this is instruction-only. Nothing is written to disk by an installer, which lowers the attack surface.
Credentials
The skill declares no required environment variables, credentials, or config paths. Requested privileges are minimal and proportionate to the stated purpose.
Persistence & Privilege
always is false and the skill does not request persistent presence or system modifications. It can be invoked by the agent, which is standard for skills; there is no elevated persistence.
What to consider before installing
Before installing, consider that this skill funnels all API calls through an unknown third‑party host (https://60s.viki.moe). That host could log requests, collect IP addresses, or capture any query parameters and results. If you need to protect user data or avoid leaking search queries, prefer skills that use official platform APIs or whose source/homepage you can verify. Ask the publisher for provenance (source repo, maintainer contact, privacy policy, and uptime/availability guarantees). If you proceed, limit agent autonomy (avoid allowing unattended/autonomous invocation), test the skill in a sandboxed environment, monitor outbound network requests, and avoid sending sensitive or personally identifying information through it. If the owner provides an official source or a trustworthy aggregator instead of the current unknown domain, re-evaluation could raise confidence to benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk974sawnk4r4ka8n14dew213k582z62c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments