关键词监控系统
PassAudited by VirusTotal on May 5, 2026.
Overview
Type: OpenClaw Skill Name: keyword-monitor Version: 1.4.0 The skill bundle describes a legitimate keyword monitoring and content collection tool that utilizes the Tavily AI API and Feishu (Lark) Webhooks for reporting. Analysis of SKILL.md and keywords.txt reveals no malicious code, data exfiltration logic, or harmful prompt injection attempts; the requested permissions (network access for search and webhooks) are consistent with the stated functionality. A referral link for an AI service (shadowai.xyz) is present in SKILL.md but does not pose a security risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may underestimate that monitored keywords, search queries, or generated reports can leave the local environment and be visible to external services or a Feishu group.
The skill claims data will not be uploaded to third parties, but it also describes using Tavily’s external API and pushing reports to Feishu via webhook.
所有数据存储在本地,不会上传到第三方 ... 基于 Tavily AI 搜索 API ... 每日报告自动推送到飞书群
Revise the privacy statement to accurately describe what is sent to Tavily and Feishu, and require the user to confirm external sharing before enabling pushes.
If configured carelessly, these credentials could allow unwanted API usage or posting into the selected Feishu group.
The skill requires a Tavily API key and may use a Feishu webhook, which are sensitive credentials or delegated posting authority. This is purpose-aligned, but the registry metadata declares no primary credential or required env vars.
飞书推送:在配置中设置Webhook地址(可选) ... API配置:需要Tavily API Key
Use least-privilege credentials, restrict the Feishu webhook to a dedicated group, and store keys outside the skill text or shared prompts.
Keywords, collected content, and reports may be processed by third-party services or delivered to people in the configured Feishu group.
The described workflow depends on an external search provider and a webhook destination. These integrations are expected for the skill, but the data boundaries are not fully specified.
基于 Tavily AI 搜索 API,自动抓取各大平台 ... 飞书Webhook仅用于推送报告
Document exactly what data is sent to each provider and avoid including confidential keywords, private leads, or sensitive business data unless the user approves.
Local reports may retain monitored topics, competitor information, or sales leads beyond the immediate task.
The skill stores generated reports locally for later use. This is aligned with monitoring and trend analysis, but it creates persistent local records.
所有报告保存在本地,支持历史查询和趋势分析
Specify the storage path, retention period, and cleanup process, and avoid storing sensitive monitoring data longer than needed.