每日热榜
v1.0.1每日热榜技能 - 查询微博、知乎、B站、抖音等54个平台的热榜数据,支持定时推送和分类浏览。
⭐ 4· 2.8k·21 current·21 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code files and description line up with an aggregator for many platforms (DailyHotApi-based). However the manifest declares no required environment variables or credentials while the SKILL.md documents several environment variables (DAILY_HOT_API_URL, DAILY_HOT_DATA_DIR, DAILY_HOT_AUTO_SAVE, etc.) and features (scheduled pushes to 飞书) that would require configuration (and likely credentials) not declared in the registry metadata. That mismatch is unexplained and disproportionate.
Instruction Scope
Runtime instructions tell the operator to deploy a local service (PM2 + ./deploy.sh), set environment variables, run pip installs, and create/maintain cron tasks and local data under /root/.openclaw/workspace/skills/daily-hot-news/data/. The SKILL.md also references pushing to 飞书 but does not document required webhook/token variables. The instructions assume specific absolute paths and a separate 'daily-hot-api' deploy directory (note: path uses 'daily-hot-api' vs the skill slug 'daily-hot-news'), which is inconsistent and could lead to unexpected behavior or accidental execution of an unexpected deploy script.
Install Mechanism
The provided install step runs an exec to pip-install 'requests' and 'aiohttp' in the workspace via an absolute cd and python3 -m pip install. This is a common approach but executes commands on the host (moderate risk). There are no downloads from arbitrary URLs or archive extracts, which reduces some installation risk, but the install step assumes the workspace path and likely installs system-wide if no virtualenv is used.
Credentials
The skill requests no credentials in registry metadata, yet the SKILL.md expects environment variables for service URL, data directory, autosave toggle, cache TTL, and mentions pushing to 飞书 (which normally requires a webhook or token). Required config for external push/notifications is not declared, so sensitive tokens could be needed without being listed — that's disproportionate and unexpected.
Persistence & Privilege
The skill is not marked 'always' and does not disable model invocation, so it can be invoked by the model. The SKILL.md describes automatic saving of data and setting cron tasks / PM2-managed service for a local DailyHotApi — this grants the skill persistent data storage and scheduled activity. That capability is plausible for the feature, but combined with the undeclared credentials/config it merits caution.
What to consider before installing
This skill appears to implement a local aggregator and stores data under /root/.openclaw/workspace/skills/daily-hot-news/data. Before installing, check these things: 1) Review the code (especially deploy.sh if present, storage.py, api_client.py, and any code that performs HTTP POSTs) to see how webhooks/tokens are used and where they are stored. 2) Confirm and supply the required environment variables (DAILY_HOT_API_URL, DAILY_HOT_DATA_DIR, etc.) — note the registry metadata does not declare them. 3) Investigate the deploy instructions: SKILL.md references a separate 'daily-hot-api' directory and PM2; ensure you trust the deploy script and that it doesn't run unexpected commands. 4) Install Python dependencies in an isolated environment (virtualenv) and inspect what the code does before running as root. 5) If you plan to enable scheduled pushes (飞书), explicitly determine which credentials or webhooks the skill needs and store them securely; don't rely on implicit defaults. If you want, provide the contents of deploy.sh and config.py so I can flag any specific risky operations (writing cron entries, executing arbitrary shell commands, or transmitting secrets to third-party endpoints).Like a lobster shell, security has layers — review code before you run it.
chinavk976nef16vcnr8bagnd0n0kmb180jwmedailyvk976nef16vcnr8bagnd0n0kmb180jwmehotvk976nef16vcnr8bagnd0n0kmb180jwmelatestvk97ahdbhzpbehekp901jqf4kxd80jtj7newsvk976nef16vcnr8bagnd0n0kmb180jwme
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython3