Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Hotspot Aggregator
v1.0.0🔥 热点聚合监控 - 一站式聚合微博/百度/知乎/抖音热搜榜,自动生成每日热点报告,支持关键词订阅推送。适用于自媒体运营、内容创作、市场分析等场景。
⭐ 0· 83·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description align with the included scripts: fetch hot lists from Weibo/Baidu/Zhihu/Douyin, generate reports, and manage keyword subscriptions. However, package.json and the scripts expect curl and jq while the registry metadata listed no required binaries; SKILL.md also references USE_REAL_API and PROXY environment variables that aren't declared in the registry metadata. This is an inconsistency in the declared requirements (missing required binaries and optional env vars).
Instruction Scope
Runtime instructions and scripts stay within the stated purpose: they fetch data (via curl), parse with jq, write JSON data and Markdown reports, and check subscriptions. The scripts do not attempt to read unrelated system files or exfiltrate data to unexpected endpoints. They do, however, perform network requests to listed platform endpoints and a third-party aggregator (api.oioweb.cn) when USE_REAL_API=true.
Install Mechanism
There is no install spec (instruction-only plus shipped scripts), so nothing is downloaded or executed during an install step—risk from installation is low. The skill relies on local runtime tools (curl, jq) being present.
Credentials
The skill does not request secrets or credentials. It optionally uses environment variables USE_REAL_API and PROXY to enable real network fetching and proxying; these are reasonable for the task but were not declared in the registry metadata. No credentials (tokens/passwords) are requested. This is proportionate but the omission from metadata is a minor coherence issue.
Persistence & Privilege
always is false and the skill does not request permanent elevated platform privileges. It writes its own data and reports to /root/clawd/memory/hotspots (a skill-local path, albeit hardcoded under /root), and does not modify other skills or global agent configuration.
What to consider before installing
This skill mostly does what it claims, but check a few things before installing: 1) Ensure curl and jq are available on the target environment (the scripts require them though the registry metadata omitted them). 2) Note the scripts write to /root/clawd/memory/hotspots — confirm you are comfortable with that hard-coded path or update config.json/scripts to use a safer project-specific directory. 3) By default the skill runs in demo mode (safe); enabling USE_REAL_API=true will make outbound network calls to platform endpoints and a third-party aggregator (api.oioweb.cn). If you enable real mode, run it inside an isolated container or environment, and consider routing through a trusted proxy. 4) Review the third-party endpoint(s) (api.oioweb.cn) before enabling real API mode to ensure you trust that service. 5) Because the metadata omitted required binaries and optional env vars, prefer running the scripts manually once to validate behavior before granting the skill autonomous invocation.Like a lobster shell, security has layers — review code before you run it.
latestvk97471rj08pcjz097n59cs2mk983pekc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔥 Clawdis