飞牛论坛签到
ReviewAudited by ClawScan on May 10, 2026.
Overview
The visible artifacts match the stated purpose of automating 飞牛论坛 sign-in, but the skill needs real account credentials, Baidu OCR keys, local session caches, and optional daily automation.
Before installing, confirm you are comfortable giving the skill your forum password and Baidu OCR keys, sending CAPTCHA images to Baidu OCR, and optionally running a daily cron job. Protect config, cookies.json, and token_cache.json with appropriate file permissions, and remove cached files and cron entries if you stop using it.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can log in as the user on the forum and use the user's Baidu OCR account.
The skill requires a forum username/password and Baidu OCR API credentials, giving it delegated access to those services.
`FNCLUB_USERNAME`, `FNCLUB_PASSWORD`, `BAIDU_OCR_API_KEY`, `BAIDU_OCR_SECRET_KEY`
Use only credentials you are comfortable delegating, prefer a dedicated Baidu OCR key, and rotate credentials if you uninstall or stop using the skill.
CAPTCHA images from the forum are transmitted to Baidu's OCR service as part of login automation.
The script sends the downloaded CAPTCHA image to Baidu OCR for recognition.
`axios.post(`https://aip.baidubce.com/rest/2.0/ocr/v1/accurate_basic?access_token=${accessToken}` ... `image=${encodeURIComponent(base64)}`Use this only if you are comfortable with that provider flow and with any forum rules around automated CAPTCHA solving.
Once configured, the skill may continue using the account daily until the cron task is removed.
The skill documents a daily scheduled task, so it can keep signing in automatically after setup.
`openclaw cron add ... --every "1d" ... --system-event "fnclub-sign"`
Only enable the cron job if you want ongoing automation, and remove the cron job plus cached cookies/tokens when no longer needed.
Installing the skill will depend on third-party npm packages.
The install instructions rely on npm dependencies. They are consistent with HTTP, HTML parsing, and cookie handling, and a lockfile is present.
`cd scripts` / `npm install` ... `axios`, `cheerio`, `tough-cookie`
Install from a trusted environment, keep the lockfile, and avoid adding unreviewed dependencies.
Users may not get platform-level credential prompts even though manual credential setup is required.
The registry metadata under-declares credentials even though SKILL.md and package.json document required sensitive credentials.
Required env vars: none; Primary credential: none
Treat the credentials listed in SKILL.md as required, and the publisher should update registry metadata to match.