ClawHub

X Hot Topics Daily

v1.0.0

每日追踪并推送 X(x.com)热点话题新闻简报。用于用户要求“每天定时看 X 热点”“按指定话题抓取热门帖”“用 browser 方式监控 X 趋势”时。默认覆盖 AI、LLM、社会热点(中国/新加坡/美国)五个主题。重点输出“最低成本 know-what 版”:2 条必知 + 3 条可忽略 + 10 分钟行动,帮助用户抗 FOMO,而不是只罗列标题。

1· 1.4k·12 current·13 all-time
by@hmzo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (daily X.com topic summaries) matches the instructions (open X, run topical searches, extract top posts). However the runtime explicitly asks to use 'browser profile=chrome', which implies access to a local Chrome profile or browser automation credentials; that access is not declared in the skill metadata (no required config paths or env vars). This is incongruent with the declared zero-credential footprint.
Instruction Scope
SKILL.md stays focused: open X, fetch top posts per topic, filter/ dedupe, and summarize. It does not instruct sending data to external endpoints beyond producing the summary. The main scope concern is the use of a browser snapshot (refs=aria) which can capture personalized content tied to a logged-in session if the Chrome profile is used.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. There is nothing being downloaded or written by the skill itself.
!
Credentials
The skill requests no environment variables or config paths, yet the instructions demand 'profile=chrome' browser access. That implicitly requires access to the user's browser environment or automation endpoint (cookies, session tokens, stored credentials). The lack of declared required config/permission is disproportionate and a privacy risk.
Persistence & Privilege
always:false and no persistent install behavior. The skill does not request system-wide configuration changes or permanent presence. Autonomous invocation is allowed (platform default) but not combined with other high privileges.
What to consider before installing
This skill appears to do what it says (scrape X and summarize), but it asks the agent to use a Chrome profile for browser automation without declaring that it will access browser data. That can expose your logged-in X account, cookies, and personalized feed. Before installing: 1) Confirm how your agent's 'browser' tool handles 'profile=chrome' — does it use your real profile or an isolated ephemeral profile? 2) If you don't want account-linked personalization or cookie exposure, require the skill to run with an unauthenticated/ephemeral profile or headless scraping. 3) Verify where snapshots and extracted data are stored or transmitted and the retention policy. 4) If you accept the privacy tradeoff, limit the agent's browser permissions or create a dedicated Chrome profile for this skill. If the publisher can provide explicit wording that no personal profiles or credentials are used (or supply a dedicated/profile path), that would reduce the concern.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e2z3qk9k8xa3ybmcd1zpw05813w8m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments