Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Hotspot Aggregator
v1.0.0🔥 热点聚合监控 - 一站式聚合微博/百度/知乎/抖音热搜榜,自动生成每日热点报告,支持关键词订阅推送。适用于自媒体运营、内容创作、市场分析等场景。
⭐ 0· 143·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The scripts implement the described functionality (fetching hot lists, generating daily reports, keyword subscriptions). However package.json lists required runtime binaries (curl, jq) while the registry metadata reported 'none' — a mismatch. The code also references a third‑party API (api.oioweb.cn) which is reasonable for a data aggregator but should be considered a non-first-party data source.
Instruction Scope
SKILL.md and the scripts stay within the aggregator/reporting scope: they fetch platform hotlists, write JSON and markdown reports, and search local data for keywords. The scripts reference USE_REAL_API and PROXY environment variables (to enable live network fetches) and will call external endpoints when enabled. Default behavior uses demo data; network calls occur only if USE_REAL_API=true or when fetch is explicitly invoked.
Install Mechanism
There is no install spec and all code is delivered with the skill (shell scripts + JSON). No remote installer or downloaded archives are used, which lowers installation risk.
Credentials
The skill uses environment variables (USE_REAL_API, PROXY) but the registry metadata declared no required env vars. The scripts also depend on system binaries (curl, jq) although the metadata showed none — this inconsistency could mislead users about what is required. No secret credentials are requested, which is appropriate for the stated purpose.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global settings. It writes data and reports under the absolute path /root/clawd/memory/hotspots (skill-specific), which is normal for local data storage but worth noting if the platform's shared paths are sensitive.
What to consider before installing
Things to check before installing or running:
- Ensure curl and jq are available: the scripts call curl and jq although the skill metadata did not list required binaries. Without them the scripts will fail.
- Understand the network behavior: by default the skill uses demo data, but setting USE_REAL_API=true (and optionally PROXY) makes the scripts perform HTTP requests to external endpoints (weibo, baidu, zhihu, and a third‑party aggregator api.oioweb.cn). Only enable live mode if you trust those endpoints and your environment's network/credentials policy.
- Review absolute paths: the scripts read/write under /root/clawd/memory/hotspots. Confirm that path is acceptable in your environment and does not overlap with sensitive data or other skills.
- Third‑party API trust: api.oioweb.cn is a third‑party aggregator (not an official Douyin endpoint). Evaluate whether you trust that service before enabling real API mode.
- Config and notifyChannel: the config.json contains notifyChannel but the scripts do not implement any notification delivery — if you expect push notifications, verify or implement the mechanism safely.
- Minimal privileges: run the skill in a sandbox or non-privileged account first to confirm behavior. If you need a higher assurance, inspect network traffic (or run with USE_REAL_API=false) and review the scripts line-by-line — the code is simple shell, so manual review is feasible.
Summary: functionally coherent but metadata omissions and network/absolute-path choices are the main concerns; review and test in a limited environment before trusting it in production.Like a lobster shell, security has layers — review code before you run it.
latestvk970x4rb283sg8msq2htkx4sfs8394sn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔥 Clawdis