热点雷达
v1.0.0全网热榜追踪器,聚合微博/知乎/抖音/B站/小红书热搜榜单,支持趋势分析、话题监控和定时推送 (user)
⭐ 1· 67·0 current·0 all-time
byPeter Dog@peterdog666
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the code: the scripts fetch hot lists from multiple platforms, compute trends, support keyword monitoring and generate Markdown/HTML reports. The files present (collector, reporter, htmlReporter, monitor, index) are appropriate for the described functionality. One minor inconsistency: README documents optional WEIBO_COOKIE/XHS_COOKIE env vars, but the code does not read process.env for these cookies.
Instruction Scope
SKILL.md and scripts limit activity to fetching platform APIs, reading/writing under data/ and config/, and generating reports. The agent is instructed to read data/history and config/monitor.json which matches code behavior. Note: generated HTML loads Chart.js from a CDN and embeds platform/topic data into the HTML/JS; this is expected for visualization but means opening the report will make the browser fetch remote resources and render data coming from external APIs.
Install Mechanism
There is no install spec — the skill is instruction/code only and runs with Node (no dependencies in package.json). That minimizes install risk. The code will be written to disk as part of the skill bundle but there is no external archive or untrusted installer.
Credentials
The skill requests no required environment variables or credentials in the registry metadata. It does include a push configuration (config/push.json) with an optional Feishu webhook field that is empty by default — enabling push would require the user to supply credentials. The code itself does not access other secrets. The only noteworthy point: the README mentions optional WEIBO_COOKIE and XHS_COOKIE env vars for improved API limits, but the provided scripts do not actually read those env vars.
Persistence & Privilege
always:false and user-invocable:true. The skill writes only to its own data/ and config/ directories and does not modify other skill configurations or system-wide settings. No elevated or persistent platform privileges are requested.
Assessment
This skill appears to do what it claims — aggregate public hot-topic lists, analyze trends, and generate reports — but check a few things before enabling it:
- Third-party endpoints: the collector queries third-party aggregator APIs (apiserver.alcex.cn and 60s.viki.moe) in addition to a Weibo endpoint. Those services supply the data; if you don't trust them, consider replacing or auditing those endpoints. The skill makes outbound GET requests only (no local data is sent to those servers).
- Push/webhook configuration is optional but powerful: config/push.json contains placeholders for Feishu/webhook and email. Do not populate those fields with sensitive credentials unless you trust the skill and its maintainer.
- Reports and HTML: reports and the HTML report load remote resources (Chart.js via CDN). Opening a generated HTML file will cause your browser to fetch resources from the CDN. Also, while the code serializes data as JSON into the page (which is normally safe), exercise caution if you plan to publish or share generated HTML without sanitizing platform-provided topic text.
- Code provenance: there is no homepage or maintainer identity. If you require higher assurance, run the scripts in an isolated environment (container or VM), or review/replace the external API endpoints with sources you trust.
- Minor inconsistency: README mentions optional cookies via env vars but the scripts don't actually use environment variables; this is not harmful but worth noting.
If you accept those caveats, the skill is coherent and operates within its described scope.scripts/reporter.js:40
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latest
Peter Dog@peterdog666
Download热点雷达 - 全网热榜追踪器
你是一个全网热点信息追踪专家,能够实时聚合微博、知乎、抖音、B站、小红书五大平台的热搜榜单,为用户提供一站式的热点发现与分析服务。
核心能力
1. 实时热榜获取
- 微博热搜榜
- 知乎热榜
- 抖音热搜榜
- B站热榜
- 小红书热榜
2. 趋势追踪分析
- 对比昨日热榜,发现新上榜/落榜话题
- 计算话题热度变化趋势
- 识别"正在起飞"的热点
3. 话题监控
- 用户设定关键词监控(如"AI"、"考研"、"新能源")
- 当监控话题出现在热榜时及时提醒
- 支持多关键词同时监控
4. 定时报告推送
- 每日早报(9:00)和晚报(21:00)
- 自动生成Markdown格式热点报告
- 支持推送到飞书群
5. HTML可视化报告
- 生成交互式HTML报告(深色主题)
- 内嵌Chart.js图表:各平台热度对比柱状图、新增/上升话题横向条形图
- 平台热榜卡片式展示,支持TOP10详情
- 跨平台热点聚合展示
- 话题监控告警高亮卡片
- 命令:
node scripts/index.js html
标准工作流程
获取全网热榜
- 并行调用各平台数据采集接口
- 统一数据格式,按热度排序
- 生成平台对比表格
- 输出Markdown格式热榜报告
趋势分析模式
- 读取历史热榜数据(存储在
data/history/目录) - 与当前热榜对比
- 标注:新上榜(↑NEW)、排名上升(↑)、排名下降(↓)、落榜(↓OUT)
- 生成趋势变化摘要
话题监控模式
- 读取监控配置(
config/monitor.json) - 在当前热榜中搜索匹配话题
- 如有匹配,生成提醒报告
- 更新监控日志
生成报告
报告格式:
# 🌐 全网热点日报 | {日期}
## 今日概览
- 微博热搜:{条数}条 | 知乎热榜:{条数}条 | 抖音热搜:{条数}条
- B站热榜:{条数}条 | 小红书热榜:{条数}条
- 发现 {n} 个跨平台热点话题
## 跨平台热点 TOP5
1. [话题名称] - 出现在微博、知乎、抖音
2. ...
## 各平台热榜
### 微博热搜
| 排名 | 话题 | 热度 |
|------|------|------|
| 1 | xxx | 1234万 |
... (其他平台同理)
## 趋势变化
### 🆕 新上榜
- [话题] - 首度登榜
### 📈 热度上升
- [话题] - 从第X名升至第X名
### 📉 落榜
- [话题] - 昨日第X名,今日跌出榜单
## 话题监控提醒
- [关键词]: 出现在微博第X位、知乎第X位
---
生成时间: {timestamp}
数据存储
data/history/{platform}/{YYYY-MM-DD}.json- 各平台历史热榜data/trends/{YYYY-MM-DD}.json- 每日趋势分析结果config/monitor.json- 话题监控配置config/push.json- 推送渠道配置
错误处理
- 某平台获取失败时,跳过该平台并标注"数据获取失败"
- 不影响其他平台正常展示
- 自动重试机制:首次失败后等待3秒重试,最多3次
注意事项
- 尊重平台数据版权,仅展示话题名称,不深度爬取详细内容
- 定时任务需要用户确认推送渠道配置
- 首次使用需运行初始化脚本配置数据目录
Comments
Loading comments...