微博热搜采集 | Weibo Hot Search
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its Weibo-trending purpose, but it can pass web-derived URLs into shell commands and uses a browser profile, so it should be reviewed before use.
Use this only if you are comfortable with it controlling an OpenClaw browser session and storing Weibo trend data locally. Prefer a dedicated logged-out browser profile, and avoid the optional detailed-content fetch until the shell command construction is hardened.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If detailed topic-content fetching is used, a malicious or malformed Weibo link could potentially cause unintended local commands to run.
A URL parsed from browser/page output is later embedded in a shell command while shell=True is enabled. In the optional topic-content flow, malformed or hostile page data could influence local shell execution.
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=timeout) ... url = match.group(1) ... run_command(f"openclaw browser open --profile openclaw '{url}'", timeout=15)Change subprocess calls to use argument lists with shell=False, validate URLs to expected Weibo hosts and schemes, and never interpolate page-derived strings into shell commands.
The browser may use existing login/session state while collecting Weibo pages.
The scraper opens Weibo pages and snapshots them using a named browser profile. If that profile has an active Weibo session, the collection may run under that session, although the code does not show credential extraction or account mutation.
run_command(f"openclaw browser open --profile openclaw '{url}'", timeout=15) ... run_command("openclaw browser snapshot --compact 2>&1", 15)Use a dedicated logged-out or low-privilege browser profile for this skill, and document whether any authenticated session is expected.
The skill may fail or require manual setup that is not clearly declared in the registry metadata.
The script requires the OpenClaw CLI even though the registry requirements declare no required binaries and there is no install spec. This can lead to unclear setup expectations.
if ! command -v openclaw &> /dev/null; then
echo "❌ Error: openclaw command not found"
exit 1
fiDeclare required runtime tools such as python3 and openclaw in metadata or install documentation, including expected versions where possible.