ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

只需要发律动文章链接,帮你抓取并保存到 ChainThink 后台

v1.0.1

自动抓取律动 BlockBeats文章内容并保存为ChainThink后台草稿,支持标题、摘要、正文和图片提取与上传。

0· 326·0 current·0 all-time
byShinChan_Crayon@dyc0616c-oss

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for dyc0616c-oss/blockbeats-to-chainthink.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "只需要发律动文章链接,帮你抓取并保存到 ChainThink 后台" (dyc0616c-oss/blockbeats-to-chainthink) from ClawHub.
Skill page: https://clawhub.ai/dyc0616c-oss/blockbeats-to-chainthink
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install dyc0616c-oss/blockbeats-to-chainthink

ClawHub CLI

Package manager switcher

npx clawhub@latest install blockbeats-to-chainthink
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The high-level purpose (fetch article content and post to ChainThink) matches the code and instructions. However, the implementation hardcodes a JWT-like token in fetch.sh and asks users to add a token in TOOLS.md in SKILL.md, while the manifest declares no required credentials—this mismatch is inconsistent and unexplained. Also the script calls an 'openclaw browser' CLI and uses jq/curl but the skill declares no required binaries.
!
Instruction Scope
SKILL.md instructs the agent to evaluate JavaScript in the page (window.__NUXT__.data[0]) and then POST to the ChainThink API — which is consistent with the goal. But SKILL.md asks the user to put tokens into TOOLS.md (a place for secrets) and the script contains a hard-coded token; this is scope creep for secret handling. The instructions are specific but they implicitly assume access to a secrets file and to an OpenClaw browser tool that are not declared.
Install Mechanism
No install spec (instruction-only) which is low-risk. However the fetch.sh runtime depends on external tools not declared in the manifest: 'openclaw' CLI (openclaw browser action), jq, and curl. The absence of declared required binaries is an implementation inconsistency to be aware of.
!
Credentials
The skill requests no environment variables or credentials in the registry metadata, yet both SKILL.md and fetch.sh require an API token/x-user-id to authenticate to ChainThink. The script embeds a long JWT-like token directly in fetch.sh, and SKILL.md tells users to place a token in TOOLS.md. This is insecure and inconsistent: secrets should be declared and handled via secure env vars or secret storage, not embedded in files or code.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide persistence. It does not modify other skills or system settings. Autonomous invocation is allowed (default) which is normal; no additional privilege flags are present.
Scan Findings in Context
[base64-block] expected: The scanner flagged a base64-like block; this corresponds to the JWT-like token found embedded in SKILL.md and fetch.sh. A token is expected for authenticating to ChainThink, but embedding a token directly in code or documentation is insecure and suspicious.
What to consider before installing
This skill mostly does what its name says, but there are red flags you should address before using it. The implementer embedded a JWT-like token inside fetch.sh and told users to paste a token into TOOLS.md, yet the registry declares no required credentials—this is inconsistent and insecure. Ask the author to: (1) remove any hard-coded token from the code, (2) declare required credentials in the manifest and accept tokens via environment variables or a secrets store (not a plaintext TOOLS.md), (3) document runtime binary requirements (openclaw CLI, jq, curl) so you can run it safely, and (4) confirm the token's owner, scope, and expiry and ideally rotate/revoke the example token shown. Until these issues are fixed, avoid running the script with real secrets or on privileged machines, and consider running it in an isolated environment. Also verify you have the right to repost BlockBeats content to ChainThink (copyright/terms of use).

Like a lobster shell, security has layers — review code before you run it.

latestvk970mr146x5e77r69gpc98bwad82d8da
326downloads
0stars
1versions
Updated 5h ago
v1.0.1
MIT-0
ShinChan_Crayon@dyc0616c-oss
latest
Download

BlockBeats to ChainThink Skill

从律动 BlockBeats 抓取文章并自动保存到 ChainThink 后台草稿。

使用场景

当用户提供律动 BlockBeats 文章链接(如 https://www.theblockbeats.info/news/xxxxx),自动:

  1. 提取文章标题、摘要、正文和图片
  2. 保存到 ChainThink 后台草稿
  3. 返回文章 ID

工作流程

  1. 打开浏览器访问 BlockBeats 文章页面
  2. window.__NUXT__.data[0].info 提取文章数据
  3. 调用 ChainThink API 保存草稿

ChainThink API 配置

  • API 地址: https://api-v2.chainthink.cn/ccs/v1/admin/content/publish
  • 认证方式: x-token + x-user-id headers
  • User ID: 51
  • Token: 从 TOOLS.md 读取(需要用户提供)

使用方法

用户发送律动文章链接即可,例如:

实现步骤

1. 提取文章内容

使用浏览器工具访问 BlockBeats 页面并执行:

const data = window.__NUXT__.data[0];
return {
  title: data.info.title,
  abstract: data.info.abstract,
  content: data.info.content
};

2. 保存到 ChainThink

调用 API:

curl 'https://api-v2.chainthink.cn/ccs/v1/admin/content/publish' \
  -H 'Content-Type: application/json' \
  -H 'X-App-Id: 101' \
  -H 'x-token: <从TOOLS.md读取>' \
  -H 'x-user-id: 51' \
  --data-raw '{
    "id": "0",
    "is_translate": true,
    "translation": {
      "zh-CN": {
        "title": "<文章标题>",
        "text": "<HTML正文>",
        "abstract": "<摘要>"
      }
    },
    "type": 5,
    "is_public": false,
    "user_id": "3",
    "as_user_id": "3"
  }'

3. 返回结果

返回保存成功的文章 ID 和状态。

注意事项

  • 图片链接保留原始 CDN 地址(https://image.blockbeats.cn/...
  • 内容格式为 HTML,保留所有标签
  • 文章默认保存为草稿(is_public: false
  • Token 有效期约 7 天,过期需要重新获取

Token 配置

在 TOOLS.md 中添加:

### ChainThink API Token

x-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
x-user-id: 51

Comments

Loading comments...