ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Trend Radar

v1.0.0

Real-time trending topics aggregator across 7 platforms (X/Twitter, Reddit, Google Trends, Hacker News, Zhihu, Bilibili, Weibo). Trigger: when user says 'tre...

0· 227·4 current·4 all-time
by@xiaoyiweio
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (aggregating trending topics from 7 platforms) matches the code and runtime requirements. The only declared dependency is python3 and the code fetches HTML/RSS/public APIs for the listed platforms — this is expected.
Instruction Scope
SKILL.md instructs the agent to run the included Python scripts (overview, expand, JSON output) and explicitly disallows falling back to web_search. Those scripts only perform HTTP requests to public platform endpoints and format results. The scheduler instructions call scripts/scheduler.py which will read and write the user's crontab; the trends script can write JSON files under ~/.openclaw/trend-radar/daily/ when --save is used. This is within the described functionality but is a system-level change the user should review before enabling.
Install Mechanism
Install spec only requests installing python3 via brew (standard, low-risk). The repository contains pure Python standard-library code; there are no downloads from arbitrary URLs or extract/install steps that write unknown binaries.
Credentials
No required environment variables, no primary credential, and the scripts do not read credentials. The scripts do perform network requests to multiple public domains (trends24.in, reddit, google, hackernews firebase, zhihu, bilibili, weibo, tophub), which is expected for this purpose. One source (weibo HTML fallback) includes a static Cookie header; it's not a secret from the user, but odd and worth noting.
Persistence & Privilege
always is false and the skill does not auto-enable itself. However, the scheduler helper will modify the user's user-level crontab when invoked and the main script can save daily archives to ~/.openclaw/trend-radar/daily/. These behaviors require explicit user actions (running scheduler.py --set or trends.py --save) but they are persistent and affect the host environment.
Assessment
This skill appears to do exactly what it claims: fetch public trending data from the seven listed platforms using only Python standard library HTTP calls. Before installing/using: 1) Review and run the scripts locally (e.g., python3 scripts/trends.py --mode overview) to see outputs and confirm endpoints. 2) Do NOT run the scheduler (--set) unless you want the skill to add entries to your user crontab; inspect the crontab changes printed by the command and verify the command path. 3) Be aware the scripts make outbound HTTP requests to multiple third‑party sites — if you need to limit network access, run them in a sandboxed environment. 4) The skill does not request credentials, but scraping may break or be rate-limited; the static Cookie in the Weibo HTML fallback is unusual but not a secret leak. 5) If you want more assurance, run the code in an isolated account/container and inspect ~/.openclaw/trend-radar/daily/ before allowing persistent schedules.

Like a lobster shell, security has layers — review code before you run it.

latestvk9732fx5jeakwfddszpdmyzdsd8355xk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📡 Clawdis
Binspython3

Install

Install Python 3 (brew)
Bins: python3

Comments