Weibo Hot Daily
AdvisoryAudited by VirusTotal on Mar 29, 2026.
Overview
Type: OpenClaw Skill Name: weibo-hot-daily Version: 2.1.1 The skill is a functional tool for fetching Weibo hot search data via the platform's public AJAX API. The code in fetch_hot.py implements standard scraping logic, including data parsing and export to JSON/CSV. While it includes a hardcoded session cookie (common in scrapers to bypass basic bot detection) and a static os.system call to set Windows console encoding, these behaviors are non-malicious and directly support the stated purpose. No evidence of data exfiltration, unauthorized execution, or prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Requests may run using an embedded Weibo session rather than an unauthenticated public request or a user-controlled credential, creating account, terms-of-service, reliability, and credential-exposure uncertainty.
The code embeds a Weibo Cookie-like session value while the registry metadata declares no credentials and the documentation describes the data as coming from a public API.
'Cookie': 'SUB=_2AkMWJzUjf8NxqwFRmP8RxWjnaY10ywzEieKnc3-_JRMxHRl-yT9kqlcatRB6PaaX1URGBqDAY-2n7xAu7MM5S5jv7p5D'
Remove the hard-coded cookie. If authentication is required, disclose it clearly and require a user-provided, scoped credential through a safer mechanism such as an environment variable.
Users may install the skill expecting capabilities or integrations that are not actually present in the reviewed artifacts.
The README advertises AI summaries, multi-channel push, and scheduled execution, but the provided code only fetches, prints, and optionally writes Weibo topics; OpenAI use is marked TODO and no push or scheduler exists.
- 🤖 AI 智能分类摘要 - 📱 多渠道推送(Telegram/微信/邮件) - ⏰ 定时执行(每日自动更新)
Align the documentation with the implemented behavior, and clearly label any planned, paid, or external-service features as not included in this code.
It is harder to confirm which release or code version is actually being installed and reviewed.
The package version differs from the registry version 2.1.1 and _meta.json version 2.1.0, while the code header also says v2.0.0, creating a provenance/version-tracking gap.
"version": "1.0.0"
Keep registry metadata, _meta.json, package.json, and source headers synchronized for each release.