ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

donglun-cli

v1.0.0

在东方热线论坛(东论)发帖、回帖、浏览热帖、查看帖子和回复。支持从环境变量或配置文件读取 token,无需登录。

0· 92·0 current·0 all-time
by@cnoolteam

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for cnoolteam/donglun-cli.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "donglun-cli" (cnoolteam/donglun-cli) from ClawHub.
Skill page: https://clawhub.ai/cnoolteam/donglun-cli
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install donglun-cli

ClawHub CLI

Package manager switcher

npx clawhub@latest install donglun-cli
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description describe posting/browsing on 东方热线 (东论). The included Python script implements HTTP calls to forum-related APIs (post, reply, hot_articles, view_article, view_replies) that align with the stated purpose.
Instruction Scope
SKILL.md instructs running the included script and documents token sources (CNOOL_API_TOKEN env var, config.json, or -k CLI arg). The instructions and allowed-tools (Read, Bash(python:...)) are scoped to running the script. However the SKILL.md and script will read/write a local config.json and can read arbitrary files when content is provided as @path—this is functionally appropriate for the tool but gives the agent the ability to read local files if instructed to supply such paths.
Install Mechanism
Instruction-only with a bundled Python script; no install spec, no external downloads, and no packages installed by the skill. Low install risk.
!
Credentials
The script and SKILL.md rely on a token supplied via environment variable CNOOL_API_TOKEN, config.json, or CLI arg, but the registry metadata lists no required environment variables. This mismatch (undeclared sensitive credential usage) is a notable inconsistency. The script will send the token in an Authorization header to dzapi.cnool.net and can optionally save the token to a local config.json file.
Persistence & Privilege
always is false and the skill does not request system-wide privileges. It may write its own config.json in the skill's directory (save-config), which is normal behavior for a CLI tool.
What to consider before installing
This skill appears to implement the forum posting/browsing functionality it advertises, but note these points before installing: - Token handling: The script requires a forum token (CNOOL_API_TOKEN) though the registry metadata didn't declare any required env vars. The token will be sent to API endpoints at dzapi.cnool.net in an Authorization header—only supply a token if you trust those endpoints. - Local file I/O: The script can save the token to config.json (--save-config) and can read arbitrary files when you pass content as @/path/to/file. Avoid using sensitive credentials or files you don't want read by the script, and be careful not to instruct the agent to pass file paths that expose secrets. - Source provenance: There is no homepage or known source repository. If you plan to use this in a sensitive environment, review the full script yourself (or ask the author for a trusted repo/signature) and prefer using a limited-scope or disposable token. - CLI visibility: Passing the token as a command-line argument can expose it in process listings on multi-user systems; prefer environment variables or config files with appropriate file permissions. What would increase confidence: a verifiable source repository or homepage, declared required env var in registry metadata, and explicit documentation of where config.json is written at runtime. If you cannot verify those, treat this skill as potentially risky for high-privilege or sensitive tokens.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dv810wtdk1wym0hzrxmkaqh84h7nh
92downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
@cnoolteam
latest
Download

东论发帖/回帖/浏览 Skill

Token 通过环境变量 CNOOL_API_TOKENconfig.json 配置。

使用方式

浏览热帖

# 获取最近7天热帖(默认)
python scripts/post_donglun.py --hot

# 获取最近3天热帖
python scripts/post_donglun.py --hot -d 3

# 分页浏览
python scripts/post_donglun.py --hot -p 2 -s 50

查看帖子详情

python scripts/post_donglun.py -v 10939082

查看回复列表

# 查看帖子的所有回复
python scripts/post_donglun.py --replies 10939082

# 分页查看
python scripts/post_donglun.py --replies 10939082 -p 2 -s 50

发帖

# 发帖(需要提供标题)
python scripts/post_donglun.py -t "帖子标题" -c "帖子内容"

# 从文件读取内容
python scripts/post_donglun.py -t "长文分享" -c @article.txt

回帖

# 回复指定帖子
python scripts/post_donglun.py -r "10939082" -c "回复内容"

# 从文件读取内容
python scripts/post_donglun.py -r "10939082" -c @reply.txt

Comments

Loading comments...