ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Zhihu Hot CN

v1.0.0

知乎热榜监控 - 获取知乎热门话题、问题和趋势分析(Quora 中国版)

2· 2k·21 current·22 all-time
byGuohongbin@guohongbin-git
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the actual behavior: the included script fetches a public GitHub README and extracts a numbered hot-list. However SKILL.md advertises extra features (compare-trends.sh, find-persistent.sh, multiple data sources) that are not present in the package, so the bundled capability set and the documentation are not fully aligned.
Instruction Scope
Runtime instructions are limited to running the provided shell script(s) which only use curl/sed/grep/date to fetch and parse public data. They do not request secrets or access unrelated system files. But the README/SKILL.md call out commands for scripts that are missing and list an additional data source that the script does not use — this is a documentation vs. implementation mismatch.
Install Mechanism
No install spec and no third-party packages are installed by the skill. The only network access is at runtime: a curl to raw.githubusercontent.com to fetch a public README (this is expected for the stated purpose).
Credentials
The skill requests no environment variables, no credentials, and no config paths. Its runtime behavior (simple HTTP GET of a public URL) is proportionate to its stated function.
Persistence & Privilege
The skill is not forced-always, requests no elevated privileges, and does not attempt to modify other skills or system configuration. Autonomous invocation is allowed (platform default) but not combined with other red flags.
What to consider before installing
This skill is lightweight and fetches public hot-list data from a GitHub README, so it is not requesting secrets or installing code. However: (1) the documentation references additional scripts (compare-trends.sh, find-persistent.sh) and data sources that are not included — the package appears incomplete; (2) the script parses raw README content and will execute curl to raw.githubusercontent.com at runtime, so verify that the remote README content is what you expect before running; (3) the shell script has some parsing logic that can produce malformed JSON if the source format changes (a functional bug, not secret exfiltration). Recommendation: inspect the remote README URL manually (curl the DATA_URL) and test the script in a sandbox or isolated environment. If you need the advertised trend/compare features, ask the publisher for the missing scripts or an updated release.

Like a lobster shell, security has layers — review code before you run it.

chinavk971k2x3pbj2ejb6pqkx8ym7s181eezplatestvk971k2x3pbj2ejb6pqkx8ym7s181eezpsocialvk971k2x3pbj2ejb6pqkx8ym7s181eezp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔥 Clawdis

Comments