Brand Monitor - 品牌舆情监控
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s brand-monitoring purpose is coherent, but its main skill file makes misleading privacy claims because the included crawler requires SerpAPI and sends searches to that third-party service.
Review and update the configuration before installing. Make sure you are comfortable sending brand search queries to SerpAPI and reports to Feishu, protect the SERPAPI_KEY and Feishu webhook, and only enable cron/systemd scheduling if you want automatic recurring monitoring.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe searches are local or only sent to Feishu, while brand queries and the SerpAPI key are actually sent to SerpAPI.
The main skill file claims no third-party data sharing except Feishu, but the crawler sends search requests to SerpAPI. This is a material privacy/disclosure mismatch, even though SerpAPI use is purpose-aligned for search.
SKILL.md: "✅ 不发送数据到第三方服务器(除了配置的飞书 Webhook)" / crawler: "self.base_url = \"https://serpapi.com/search\"
Update SKILL.md and registry metadata to clearly disclose SerpAPI use, what data is sent, and when Feishu reports are posted.
The skill will not perform real searches unless the user provides a SerpAPI credential that may incur quota or billing usage.
The skill uses a provider API key for SerpAPI, while the registry metadata declares no required environment variables or primary credential. The credential is purpose-aligned but under-declared.
self.api_key = api_key or os.environ.get('SERPAPI_KEY') ... raise ValueError("需要提供 SERPAPI_KEY 环境变量或 api_key 参数")Declare SERPAPI_KEY and the Feishu webhook requirement in metadata, and document expected quota/cost and credential handling.
Dependency versions may change over time, which can affect reproducibility or introduce dependency risk.
The manual installer fetches Python packages using unpinned version ranges. This is common for a Python helper, but it is not represented by a registry install spec.
install.sh: "pip3 install -r requirements.txt" / requirements.txt: "requests>=2.31.0"
Use pinned dependency versions or a lockfile, and add an install spec or clear provenance information for the helper code.
Malformed brand names or platform values could cause failed commands, and unsafe templating could become risky in less controlled runtimes.
The prompt asks the agent to run a shell command with user/config-provided values. This is central to the skill’s function, but inputs should be treated as data and safely quoted.
python search_crawler_serpapi.py "{{brand_name}}" "{{platforms_list}}" 20 {{monitor_hours}}Validate allowed platform values, sanitize or safely pass arguments, and keep shell execution limited to the reviewed crawler command.
Brand monitoring data, URLs, authors, sentiment labels, and alerts may remain in the agent’s memory and influence future reports.
The skill persists monitoring reports and top mention details for later trend analysis. This is purpose-aligned, but it creates retained context that can be reused across future runs.
使用 `memory` 工具保存监控数据 ... "top_mentions": [ {前5条提及的完整数据} ]Make memory retention explicit, allow users to clear or scope stored reports by brand, and avoid treating stored web content as trusted instructions.
Monitoring results and analysis will be posted into the configured Feishu destination, which may be visible to group members.
Reports are sent to a configured Feishu webhook. This is a disclosed, purpose-aligned integration, but it is still an external communication channel.
使用飞书 Webhook 推送报告
Confirm the webhook points to the intended Feishu group and avoid including sensitive internal analysis unless the audience is appropriate.
If the user installs the schedule, the agent may run brand monitoring automatically and consume API quota or send recurring Feishu messages.
The README provides user-directed cron/systemd examples for scheduled monitoring. This is aligned with the monitoring purpose, but it can make the skill run repeatedly without a fresh manual prompt.
0 9 * * * cd ~/.openclaw && openclaw agent --message "执行品牌监控" >> /var/log/brand-monitor.log 2>&1
Only enable scheduling intentionally, monitor SerpAPI quota, and provide a clear disable/uninstall procedure for scheduled jobs.