AI Trend Monitor
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a disclosed Feishu AI-trend notification skill, but users should review webhook credentials, scheduled execution, install provenance, and the fact that the included code currently uses mock search data.
Before installing, verify the source repository and npm dependencies, configure a dedicated Feishu webhook securely, enable scheduled jobs only if you want recurring posts, and confirm that the mock search implementation has been replaced by a reviewed real data source.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the webhook URL may be able to post messages to the configured Feishu destination.
Feishu webhook URLs act like credentials that authorize posting into a chat. This is expected for the skill's push-notification purpose, but it is not declared in the metadata.
const WEBHOOK_MARKET = process.env.WEBHOOK_MARKET || 'https://open.feishu.cn/open-apis/bot/v2/hook/xxx';
Use a dedicated, least-privilege Feishu bot webhook, store it securely, and rotate it if exposed.
The skill can continue posting trend summaries on a schedule until the cron jobs are removed or disabled.
The skill documents scheduled execution that can keep sending summaries after setup. This is purpose-aligned and user-configured, but it is persistent behavior.
"schedule": "0 9 * * *", "command": "node ~/.openclaw/skills/ai_trend_monitor/ai_trend_monitor.js"
Install the cron jobs only if desired, and document how to disable or remove them.
If the real repository or npm dependencies differ from the reviewed files, unreviewed code could be installed.
The installation instructions ask the user to clone a repository and install npm dependencies, but the provided artifacts do not include a package manifest or lockfile for dependency review.
git clone <repo-url> ~/.openclaw/skills/ai_trend_monitor ... npm install
Verify the repository source, review package.json and lockfiles if present, and avoid running npm install from an untrusted source.
Users could mistakenly rely on mock trend data as if it were live monitoring.
The skill is described as monitoring live channels, but the included implementation says it uses simulated data unless replaced with a real search API.
// 模拟数据 - 实际部署时替换为真实搜索
Confirm that a real, reviewed search integration is implemented before using the skill for operational or business decisions.