Weibo Hot Daily
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Requests may run using an embedded Weibo session rather than an unauthenticated public request or a user-controlled credential, creating account, terms-of-service, reliability, and credential-exposure uncertainty.
The code embeds a Weibo Cookie-like session value while the registry metadata declares no credentials and the documentation describes the data as coming from a public API.
'Cookie': 'SUB=_2AkMWJzUjf8NxqwFRmP8RxWjnaY10ywzEieKnc3-_JRMxHRl-yT9kqlcatRB6PaaX1URGBqDAY-2n7xAu7MM5S5jv7p5D'
Remove the hard-coded cookie. If authentication is required, disclose it clearly and require a user-provided, scoped credential through a safer mechanism such as an environment variable.
Users may install the skill expecting capabilities or integrations that are not actually present in the reviewed artifacts.
The README advertises AI summaries, multi-channel push, and scheduled execution, but the provided code only fetches, prints, and optionally writes Weibo topics; OpenAI use is marked TODO and no push or scheduler exists.
- 🤖 AI 智能分类摘要 - 📱 多渠道推送(Telegram/微信/邮件) - ⏰ 定时执行(每日自动更新)
Align the documentation with the implemented behavior, and clearly label any planned, paid, or external-service features as not included in this code.
It is harder to confirm which release or code version is actually being installed and reviewed.
The package version differs from the registry version 2.1.1 and _meta.json version 2.1.0, while the code header also says v2.0.0, creating a provenance/version-tracking gap.
"version": "1.0.0"
Keep registry metadata, _meta.json, package.json, and source headers synchronized for each release.