Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Daily Hot Aggregator
v7.1.0🔥 一键获取全平台热榜!B站+抖音+微博+头条,一站搞定所有热点。自媒体运营必备!免费使用,定制开发请联系作者。
⭐ 0· 135·1 current·1 all-time
by蓝天@qq853632587
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description (multi-platform hot-spot aggregator) matches the included Python scripts (fetch_all.py, analyzer.py, content_recommender.py, hot_alert.py, wechat_push.py). Required binary (python3) is appropriate. However, the fetch_weibo implementation includes a hard-coded 'Cookie' header with a SUB value embedded in source — a credential-like value that is not declared in requires.env and is not appropriate to be baked into source control.
Instruction Scope
SKILL.md instructions are scoped to collecting, analyzing, reporting, scheduling, and push-notifications. They reference local files (hot_reports/, wechat_push_config.json, alert_config.json) and external endpoints consistent with the stated platforms (bilibili, douyin, weibo, toutiao). There is no instruction to read unrelated system files or to exfiltrate arbitrary data. The only noteworthy behavior is that the push feature sends data to user-provided webhooks (expected for push functionality).
Install Mechanism
There is no install spec (instruction-only in SKILL.md) and no remote download/install executed by the skill bundle. Code is provided in plain Python files; nothing in the package.json or SKILL.md indicates fetching arbitrary archives or running installers from untrusted URLs.
Credentials
The registry metadata declares no required environment variables, yet the code contains a hard-coded Weibo 'SUB' cookie value inside fetch_all.py and uses cookie headers for some endpoints (douyin 'ttcid=0', weibo SUB). Embedding a credential-like value in source is disproportionate and unexpected. The skill also expects users to supply webhook URLs via wechat_push_config.json (normal), but the presence of a baked-in authentication cookie should be reviewed — it could be stale, tied to someone else's account, or a privacy/security risk if it grants access beyond public endpoints.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and only writes/reads files within its own data directory (hot_reports/, alert_config.json, wechat_push_config.json). It suggests scheduling via OpenClaw cron but does not force persistent installation or escalate privileges.
What to consider before installing
This package is functionally coherent with its stated purpose, but exercise caution before installing or running it: 1) Inspect and remove any hard-coded credentials (fetch_all.py contains a Weibo 'SUB' cookie). Do not run code that contains someone else's cookie — remove it or replace with your own credential or a code path that fails gracefully when not present. 2) Review wechat_push.py (and wechat_push_config.json) before adding any webhook endpoints — the skill will send data you collect to those webhooks. 3) Run in a sandbox or isolated environment first, and inspect the files it writes (hot_reports/, alert_config.json) to confirm no unexpected outbound networking beyond the listed platform endpoints. 4) If you plan to use authenticated endpoints (Weibo, Douyin, etc.), configure credentials deliberately (not in source) and prefer environment variables or a protected config file. 5) If you are not comfortable editing source, avoid installing until the author removes embedded credentials and documents how to securely provide tokens/webhooks. If you want, I can point out the exact lines that contain the hard-coded cookie and suggest a safer replacement pattern.Like a lobster shell, security has layers — review code before you run it.
latestvk979ztdthra024n64rmnh5x9e983ttx9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔥 Clawdis
Binspython3