ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

CNKI Watch

v0.2.1

Query CNKI by journal name or research topic, and create journal or topic subscriptions that periodically push new CNKI paper metadata into the main OpenClaw...

0· 390·1 current·1 all-time
by@yjli-new

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for yjli-new/cnki-watch.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "CNKI Watch" (yjli-new/cnki-watch) from ClawHub.
Skill page: https://clawhub.ai/yjli-new/cnki-watch
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: node, openclaw
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install yjli-new/cnki-watch

ClawHub CLI

Package manager switcher

npx clawhub@latest install cnki-watch
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to query CNKI and push results into OpenClaw; the included scripts, package.json, and README align with that. However the published registry metadata lists no required environment variables or credentials while the SKILL.md and references/config.md clearly require CNKI_COOKIE or CNKI_USERNAME/CNKI_PASSWORD. That metadata omission is an incoherence — a CNKI integration legitimately needs CNKI auth, so the metadata is incomplete and misleading.
Instruction Scope
The SKILL.md and scripts describe exactly the actions the skill will take: run a Node script, use Playwright to browse/scrape CNKI, read OpenClaw skill config (~/.openclaw/openclaw.json) and process.env for credentials and settings, create/list subscription state, and post new items back into the main OpenClaw chat (via gateway/chat.inject). The instructions do not ask the agent to read unrelated host data (e.g., shell history) or exfiltrate data to unknown external endpoints. They do instruct the script to stop and surface errors when CNKI shows captchas.
Install Mechanism
There is no formal install spec in the registry, but the bundled script will attempt to require('playwright-core') and, if missing, run npm install/ci inside the skill directory (spawn npm). package-lock.json is included and points to playwright-core from the npm registry. This is a standard npm install flow (moderate risk): it will fetch packages from npm at runtime unless dependencies are already present. There are no downloads from arbitrary URLs or URL shorteners in the manifest.
!
Credentials
The runtime expects CNKI credentials (CNKI_COOKIE preferred, fallback CNKI_USERNAME+CNKI_PASSWORD) and also respects optional host env vars (CNKI_WATCH_CHROMIUM, CNKI_WATCH_AUTO_INSTALL). Those credentials are proportionate to the stated CNKI-scraping purpose. The problem is that the skill registry metadata declares no required env vars or primary credential, which is inconsistent and could mislead administrators. The scripts also read OpenClaw config (including gateway token if present) from ~/.openclaw/openclaw.json — that is expected for delivery, but administrators should be aware the skill reads that config file.
Persistence & Privilege
The skill does persist subscription state to a local runtime file (runtime/subscriptions.json) under the skill directory and can add cron jobs via the OpenClaw CLI/gateway as described. It does not request 'always: true' and does not modify other skills. Autonomous invocation is allowed (platform default) which is expected for scheduled subscriptions; this raised no extra red flags by itself.
What to consider before installing
This skill appears to implement what it says (CNKI lookups + scheduled watches), but the published metadata is incomplete: it doesn't declare the CNKI credentials that the code and SKILL.md require. Before installing, verify you trust the skill owner and review the main script (scripts/cnki-watch.mjs). Pay attention to these points: - Provide credentials only to the skill's OpenClaw config (CNKI_COOKIE or CNKI_USERNAME/CNKI_PASSWORD). If you prefer not to store passwords, supply a session cookie. - The script may run npm install inside the skill directory to fetch playwright-core. If you want to avoid runtime network installs, set CNKI_WATCH_AUTO_INSTALL=0 and preinstall dependencies in a controlled environment. - The skill reads ~/.openclaw/openclaw.json (gateway port/token) to deliver messages; ensure that file's contents are acceptable to be read by this skill. - If you want extra safety, run the skill in a restricted container or review/lock the package-lock.json before allowing it to install dependencies. If you need, I can point to exact lines in scripts/cnki-watch.mjs that perform the npm install, read config, and post back to the gateway.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📚 Clawdis
Binsnode, openclaw
cnkivk975xjzrjsftqm9kgq9wsy20nx82gc0sjournal-watchvk975xjzrjsftqm9kgq9wsy20nx82gc0slatestvk975xjzrjsftqm9kgq9wsy20nx82gc0sliteraturevk975xjzrjsftqm9kgq9wsy20nx82gc0sresearchvk975xjzrjsftqm9kgq9wsy20nx82gc0s
390downloads
0stars
3versions
Updated 4h ago
v0.2.1
MIT-0
@yjli-new
cnkijournal-watchlatestliteratureresearch
Download

CNKI Watch

Use this skill when the user wants CNKI results in either of these modes:

  • manual journal query: return papers from a named journal,
  • manual topic query: return CNKI papers related to a research topic,
  • journal subscription: periodically push new papers from a named journal,
  • topic subscription: periodically push new papers for a research topic.

When to use

  • The user gives a journal name and wants a one-off CNKI query.
  • The user gives a research topic and wants titles plus source metadata.
  • The user wants a recurring CNKI watch delivered back into OpenClaw.

Preconditions

  • The skill ships as a normal npm project with a root package.json and declared dependencies.
  • Preferred runtime is still the OpenClaw gateway container, but local development runs are supported on Windows/macOS/Linux with Node.js 22+.
  • On local runs, the script auto-installs missing JavaScript dependencies from package.json on first use. Browser discovery supports Playwright-managed Chromium plus common Chrome/Edge installs. No custom NODE_PATH is required.
  • Prefer CNKI_COOKIE. CNKI_USERNAME plus CNKI_PASSWORD is a fallback path for establishing a CNKI login session.
  • If CNKI shows captcha, slider verification, or another human-check page, stop and ask for a fresh CNKI_COOKIE or a manually refreshed session. Do not invent alternative scraping logic in the model.
  • Treat OpenClaw runtime behavior as authoritative. The docs define the public contract; do not optimize for quick_validate.py quirks at the expense of runtime compatibility.

Reference files:

  • references/config.md
  • references/schedule.md
  • references/commands.md

Canonical entrypoint

Always use the bundled script instead of ad hoc CNKI browsing:

node {baseDir}/scripts/cnki-watch.mjs <command> [flags]

For local development outside OpenClaw:

cd {baseDir}
npm install
node scripts/cnki-watch.mjs --help
npx cnki-watch query-topic --topic "人工智能" --json

Core commands

One-off journal lookup

node {baseDir}/scripts/cnki-watch.mjs query-journal --journal "计算机学报" --json

One-off topic lookup

node {baseDir}/scripts/cnki-watch.mjs query-topic --topic "大模型安全" --json

Create a journal subscription

node {baseDir}/scripts/cnki-watch.mjs subscribe-journal --journal "计算机学报" --schedule "daily@09:00" --json

Create a topic subscription

node {baseDir}/scripts/cnki-watch.mjs subscribe-topic --topic "大模型安全" --schedule "weekly@mon@09:00" --json

List and remove subscriptions

node {baseDir}/scripts/cnki-watch.mjs list-subscriptions --json
node {baseDir}/scripts/cnki-watch.mjs unsubscribe --id "<subscription-id>" --json
node {baseDir}/scripts/cnki-watch.mjs run-subscription --id "<subscription-id>" --json

Workflow

  1. Decide whether the user wants a manual query or a subscription.
  2. Preserve the journal name or topic text exactly unless the user explicitly asks to normalize it.
  3. Use query-journal for a journal lookup and query-topic for a topic lookup.
  4. Use subscribe-journal or subscribe-topic for recurring pushes. If the user does not supply a schedule, use the configured defaultSchedule.
  5. Respect skill config for browserProfile, timezone, defaultSchedule, maxManualResults, and maxPushResults.
  6. After creating, listing, running, or removing a subscription, report the subscription id, schedule, timezone, and status returned by the script.

Delivery rules

  • Subscription jobs run as isolated cron turns with no automatic announce delivery.
  • The script is responsible for posting new findings back to the main OpenClaw chat, typically through chat.inject.
  • Manual queries return metadata to the current turn and do not create subscription state.
  • Subscription runs should push only new items and stay silent when there is no delta.
  • Return metadata and CNKI links only. Do not promise PDFs, full text, or other copyrighted payloads.

Failure handling

  • If the script reports missing browser dependencies or an unusable runtime, fix the OpenClaw runtime and retry.
  • If CNKI blocks the session with captcha or another verification flow, stop and ask for a fresh CNKI_COOKIE or a manually refreshed CNKI session.
  • If a journal lookup returns weak matches, verify the exact journal name and tell the user that source filtering may need the precise CNKI source string.
  • If credentials are missing, ask the user to populate CNKI_COOKIE, or CNKI_USERNAME plus CNKI_PASSWORD, in the skill env config before retrying.

Comments

Loading comments...