Weibo Hot Daily
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly fetches public Weibo trending topics, but it ships with a hard-coded Weibo cookie/session value and overstates some features, so users should review it before installing.
Install only if you are comfortable with a simple script that calls Weibo and writes optional output files. Review or remove the embedded Cookie before use, and do not rely on the advertised AI summary, push notification, or scheduling features unless they are implemented and disclosed in a later version.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Requests may run using an embedded Weibo session rather than an unauthenticated public request or a user-controlled credential, creating account, terms-of-service, reliability, and credential-exposure uncertainty.
The code embeds a Weibo Cookie-like session value while the registry metadata declares no credentials and the documentation describes the data as coming from a public API.
'Cookie': 'SUB=_2AkMWJzUjf8NxqwFRmP8RxWjnaY10ywzEieKnc3-_JRMxHRl-yT9kqlcatRB6PaaX1URGBqDAY-2n7xAu7MM5S5jv7p5D'
Remove the hard-coded cookie. If authentication is required, disclose it clearly and require a user-provided, scoped credential through a safer mechanism such as an environment variable.
Users may install the skill expecting capabilities or integrations that are not actually present in the reviewed artifacts.
The README advertises AI summaries, multi-channel push, and scheduled execution, but the provided code only fetches, prints, and optionally writes Weibo topics; OpenAI use is marked TODO and no push or scheduler exists.
- 🤖 AI 智能分类摘要 - 📱 多渠道推送(Telegram/微信/邮件) - ⏰ 定时执行(每日自动更新)
Align the documentation with the implemented behavior, and clearly label any planned, paid, or external-service features as not included in this code.
It is harder to confirm which release or code version is actually being installed and reviewed.
The package version differs from the registry version 2.1.1 and _meta.json version 2.1.0, while the code header also says v2.0.0, creating a provenance/version-tracking gap.
"version": "1.0.0"
Keep registry metadata, _meta.json, package.json, and source headers synchronized for each release.