ClawHub

Github Trending Daily

v1.0.0

定时获取并推送每日、每周或每月 GitHub Trending 热门项目至钉钉群,支持测试和只获取模式。

0· 396·2 current·2 all-time
byjohnson@jiangzhiyu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (push GitHub Trending to DingTalk) matches the code and SKILL.md: the script fetches trending pages, formats Markdown, and posts to a DingTalk webhook. However, the skill includes a specific hard-coded webhook URL inside the code rather than requiring the user to supply their own, which is unexpected for a push-notification integration.
!
Instruction Scope
SKILL.md simply instructs how to run the script and add a cron job and states '钉钉 Webhook: 已配置' without telling the user to configure their own webhook or pointing how to change it. The runtime instructions and code will send messages to the embedded webhook by default; the skill does not read or transmit any other local files or secrets, but the silent use of a third-party webhook is scope creep relative to the documentation.
Install Mechanism
There is no install spec; this is an instruction-only skill with an included Python script. Nothing is downloaded or written at install time, which reduces install-time risk.
!
Credentials
The skill requests no environment variables, but embeds a full DingTalk webhook URL (including an access_token-like value) in plaintext. A well-scoped push skill would require the operator to provide their own webhook (env var or config file). Embedding someone else's webhook is disproportionate and could cause unexpected outbound posting or leak data to the webhook owner.
Persistence & Privilege
The skill does not request 'always: true', does not modify other skills or system settings, and runs only when invoked or via user-installed cron. There is no evidence of privilege escalation or permanent platform-wide changes.
What to consider before installing
Do not install this skill as-is if you expect notifications to go to your DingTalk group. The script contains a hard-coded DingTalk webhook URL (an access token) which will cause all pushes to go to that webhook unless you edit the code. Recommended actions before use: 1) Inspect and replace DINGTALK_WEBHOOK in github-trending-daily.py with a webhook you control, or modify the script to read the webhook from an environment variable/config file. 2) If the embedded webhook is yours, consider rotating it (create a new webhook) and use the new token stored in a secure env var. 3) Review the script for any additional endpoints (it only calls GitHub and the DingTalk webhook). 4) If you cannot or do not want to edit the file, avoid installing — the author-controlled webhook could receive unexpected data. 5) Prefer skills that require you to provide credentials explicitly (via env or configuration) rather than embedding them in code.

Like a lobster shell, security has layers — review code before you run it.

latestvk971k54xvfbd9wcy8d3zsfcmkn824b4t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments