ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Weibo Hot Daily

v2.1.1

🔥 每日自动抓取微博热搜榜,支持AI摘要和多渠道推送。自媒体运营必备!免费使用,定制开发请联系作者。

0· 166·1 current·1 all-time
by蓝天@qq853632587

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for qq853632587/weibo-hot-daily.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Weibo Hot Daily" (qq853632587/weibo-hot-daily) from ClawHub.
Skill page: https://clawhub.ai/qq853632587/weibo-hot-daily
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: python3
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install weibo-hot-daily

ClawHub CLI

Package manager switcher

npx clawhub@latest install weibo-hot-daily
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description promise AI summaries, multi-channel push, and scheduled daily runs, but the shipped code only fetches hot topics and optionally writes JSON/CSV and a simple summary. The code includes a hard-coded 'Cookie' header (a SUB session cookie) embedded in Weibo request headers — that is effectively a credential baked into the script even though the skill declares no required environment variables or credentials. The presence of an embedded session cookie is disproportionate and unexpected for a simple fetch script.
!
Instruction Scope
SKILL.md instructs users to run python3 fetch_hot.py and examples show --summary usage, but it does not mention the embedded cookie or how credentials should be handled. The README/SKILL advertise multi-channel push and scheduled automation, but no push/scheduling code is present. The script accepts an --api-key flag (for an OpenAI key) and contains a TODO for OpenAI integration, yet the documentation doesn't explain how to supply or protect such keys; this is inconsistent and grants the agent (or user) little guidance about sensitive inputs.
Install Mechanism
There is no install spec and the skill is instruction+script only; required binary is python3 which is coherent. This lowers installation risk since nothing is downloaded or extracted by the skill installer. One oddity: package.json lists a 'python' dependency (a Node-style dependency declaration) which is not meaningful for runtime but is not a direct install-time risk.
!
Credentials
The skill declares no required environment variables, yet the code embeds a Weibo session cookie directly in headers (a sensitive credential). It also supports an --api-key argument for AI features but does not declare or recommend using an env var for it. Hard-coding credentials in code is disproportionate and risky; proper design would accept sensitive tokens via environment variables or secure config.
Persistence & Privilege
The skill does not request always:true or any elevated persistence. It does not modify other skills or system settings. Autonomous invocation is permitted by default (not flagged here) but the skill itself does not claim persistent/system-wide privileges.
What to consider before installing
Do not run this script blindly on sensitive systems. Specific things to consider before installing or running: 1) The script contains a hard-coded Weibo SUB cookie (a session credential) — treat this as sensitive; prefer the author remove it and require the user to provide credentials via environment variables or a config file. 2) Many advertised features (multi-channel push, scheduling, full AI summaries) are not implemented in the provided code — ask the author for clarification or full source before trusting claims. 3) If you plan to use AI features, supply API keys via secure env vars (not command-line history) and confirm how the key is used. 4) Run any untrusted script in a sandbox/container and inspect network requests (to ensure no unexpected endpoints). 5) Verify the source repository and author identity (the package metadata and homepage should match a real repo) and confirm compliance with Weibo's terms. If you cannot verify or the author does not remove the hard-coded cookie, consider this skill unsafe to run with sensitive accounts.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔥 Clawdis
Binspython3
latestvk972cn589dakst1gt2a3yw50nh83vthm
166downloads
0stars
7versions
Updated 4w ago
v2.1.1
MIT-0
蓝天@qq853632587
latest
Download

🔥 微博热搜日报 v2.1

每日自动抓取微博热搜榜,支持AI摘要和多渠道推送。

✨ v2.1 新功能

  • ✅ 优化API调用稳定性
  • ✅ 改善数据展示格式

📦 安装

npx clawhub@latest install weibo-hot-daily

🚀 使用

python3 fetch_hot.py --top 10
python3 fetch_hot.py --top 50 --summary --output hot.json

💰 定制服务

免费使用本技能,如需以下服务请联系作者:

  • 🔧 定制开发:微博数据监控方案
  • 📊 舆情分析:品牌/话题监控
  • 🤖 自动化部署:完整监控系统

联系方式:

⚖️ 免责声明

本技能所获取的数据来自微博公开API,仅用于个人学习和技术研究目的。

  • 📌 数据来源:微博公开API接口
  • 📌 非商业性质:本技能为开源免费工具,不涉及任何商业引导
  • 📌 版权说明:所有数据内容的版权归新浪微博所有
  • 📌 使用限制:请遵守微博用户协议,禁止用于非法用途
  • 📌 免责条款:本技能按"现状"提供,使用者需自行承担使用风险

📄 许可证

MIT License

Comments

Loading comments...