ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

社交媒体研究助手Skill

v1.0.6

通过本机 media-agent-crawler HTTP 服务搜集 B站/抖音/YouTube/知乎内容(不依赖 MCP 客户端安装)。当用户要搜集这些平台内容、并已在本机启动应用(默认 http://127.0.0.1:39002)时使用。

0· 139·0 current·0 all-time
by梅花三十三@sansan-mei·duplicate of @sansan-mei/media-research-crawl-skill
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description state it talks to a local media-agent-crawler service; included scripts and SKILL.md implement exactly that (REST POST to /start-crawl and JSON-RPC POST to /mcp). No unrelated binaries, credentials, or services are requested.
Instruction Scope
Instructions direct the agent to execute shell/Node commands and send HTTP requests to the configured base_url (default localhost). This matches the stated purpose, but the skill will execute arbitrary local shell/Node commands provided in the package (the scripts are visible) and will send data to whichever base_url is supplied (see environment override).
Install Mechanism
No install spec; this is instruction/script-only. All code is bundled in the skill (mjs/sh scripts). No downloads or external installers are used.
Credentials
The skill requests no credentials and no config paths. It does honor an environment variable BIL_CRAWL_URL (documented) to override the service URL — reasonable, but this means a user-supplied URL could redirect the skill's network traffic to an external host if misconfigured.
Persistence & Privilege
always:false and no special persistence/privilege escalation. The skill does not modify other skills or system-wide config; it runs only when invoked.
Assessment
This skill is coherent with its description and simply calls a local media-agent-crawler service using bundled scripts. Before installing/using it: (1) ensure you actually run and trust the local service at the default address; (2) do not set BIL_CRAWL_URL to an untrusted external endpoint (that would cause the skill to send requests to that host); (3) review the included scripts (they are plain JS/sh and only call the local service) and run them in a safe environment if you are concerned about running shell/Node commands; (4) if you don’t have the local service, the skill will fail rather than installing external code.
scripts/crawl_mcp.mjs:34
Shell command execution detected (child_process).
scripts/list_archives_mcp.mjs:28
Shell command execution detected (child_process).
scripts/crawl.mjs:10
Environment variable access combined with network send.
scripts/mcp_tool.mjs:8
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f21esmz0sp4qbmvkx3m319x83e711

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments