Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
media-cluster
v1.0.1Automatically crawls Chinese social media by keyword, summarizes content, generates a markdown report, and produces a short voice summary using TTS.
⭐ 0· 125·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (crawl Chinese social media, summarize, TTS) align with the included scripts: it clones a MediaCrawler repository, runs the crawler, summarises output, and calls SenseAudio for TTS. However the registry metadata declares no required env vars or binaries while the SKILL.md and scripts require Conda, Node.js (for some platforms), and a SENSEAUDIO_API_KEY for TTS — an inconsistency between description/behavior and declared requirements.
Instruction Scope
SKILL.md gives explicit commands: clone GitHub repo, create/activate conda env, pip install requirements, run the crawler, and run summarize_and_voice.py which posts to SenseAudio. All instructions stay within the stated purpose. Important operational behaviors: the agent will (if run) download a third‑party project and execute its code, open browsers for QR login, and may prompt for or persist login state. The instructions do not ask the agent to read unrelated system secrets, but they do require network access and executing external code.
Install Mechanism
There is no install spec in the registry; at runtime the skill clones https://github.com/NanmiCoder/MediaCrawler.git and installs packages via pip/playwright and creates a conda env. Downloading and executing code from an external GitHub repo is expected for this functionality but increases risk because arbitrary third‑party code will run on the host. The download URL is a normal GitHub repo (not a shortened/personal server), which is better than an untrusted host, but still introduces execution-of-remote-code risk.
Credentials
SKILL.md and scripts require Conda, Node.js (>=16 for some crawls), and an API key SENSEAUDIO_API_KEY (and optional SENSEAUDIO_VOICE_ID). The registry metadata lists no required env vars or binaries — this mismatch is important: the skill will fail or behave differently without those, and the missing declaration means the platform/user consent step may not surface these requirements. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills' configs. It runs when invoked and may create a conda environment and cache login state for crawled platforms — normal for this function. Autonomous invocation is allowed (platform default) but is not combined with other high privileges here.
What to consider before installing
This skill mostly does what it says (clones a MediaCrawler repo, runs crawls, summarizes, and optionally calls SenseAudio for TTS), but you should be careful before installing/running it: 1) Metadata is incomplete — the skill requires Conda, Node.js for some platforms, and an API key SENSEAUDIO_API_KEY for TTS, but those are not declared in the registry entry; ask the author to correct the metadata. 2) The skill clones and executes a third‑party GitHub repository at runtime — review that repository's code yourself (or run inside an isolated VM/container) before allowing it to run on any machine with sensitive data. 3) Running crawlers may require logging into target apps (QR scan) and may store login state; consider privacy and terms‑of‑service/legal issues for scraping. 4) If you only need summarization/TTS of user-supplied content, consider using an approach that does not run a remote crawler. 5) If you proceed, run the skill in an isolated environment (container/VM) and provide a SenseAudio API key only if you trust the TTS provider; revoke keys if you suspect misuse.Like a lobster shell, security has layers — review code before you run it.
latestvk978ntc8dh8cvgbxesrgtm45dn83asc8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.