Food Safety Sentiment Monitor (Kevin)
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: food-safety-sentiment-monitor Version: 1.0.1 The skill bundle is a sentiment monitoring tool designed to scrape social media (specifically Weibo) for food safety concerns and analyze them using an LLM. The code in index.js uses Playwright for web scraping and includes mock data for testing purposes, with no evidence of data exfiltration, malicious execution, or prompt injection attacks.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could mistake mock crisis output for real monitoring and prepare or act on an unnecessary PR response.
When no Minimax key is configured, the monitor returns a specific fabricated critical incident rather than a real analysis result, while the SKILL.md advertises automatic real-time sentiment monitoring and event detection.
if (!config.minimax.apiKey) { ... eventSummary: "罗永浩曝光西贝北京门店食材过期,转发量50万+", riskLevel: "critical" }Label this clearly as test/demo code, remove hard-coded critical incidents from production paths, and require verified live data plus user review before generating crisis guidance.
Running the skill will drive a headless browser to visit Weibo search results.
The skill executes a fixed function inside the browser page context to extract DOM text, which is normal for Playwright scraping but still means the skill runs browser automation code.
const events = await page.$$eval('.card-wrap', nodes => nodes.slice(0, 5).map(n => ({ ... })))Use only in an environment where browser automation and access to Weibo are acceptable, and keep Playwright updated.
If the user fills in credentials, the skill can act against that Minimax account for model calls.
The code can use a Minimax API key and group ID if configured, although registry metadata declares no primary credential or required environment variables.
apiKey: config.minimax.apiKey, groupId: config.minimax.groupId
Document the credential requirement in metadata and use a least-privileged key dedicated to this skill.
Collected social-media content and chosen keywords may leave the local environment for provider processing.
If Minimax is configured, scraped event content and author fields are sent to an external model provider for analysis.
const prompt = `分析舆情:${JSON.stringify(events)}...`; const res = await client.chat.completions.create({ ... })Avoid sending private or sensitive data, and review Minimax data-handling terms before enabling the API path.