auto-researcher
v1.0.0AI 研究助手 - 自动跨平台研究任何主题并生成结构化报告。 支持平台:X/Twitter、Reddit、YouTube、GitHub、Hacker News、Product Hunt、新闻网站。 触发词:"研究"、"调研"、"分析"、"收集信息"、"auto research"、"research this"。...
⭐ 0· 63·0 current·0 all-time
by@yofoan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (cross‑platform research) align with what the scripts do: they scrape/search X/Twitter, Reddit, GitHub, Hacker News, Product Hunt and web results and then produce Markdown reports. Optional use of gh/xreach/yt‑dl is consistent with the stated platforms; there are no unrelated requirements (no unexpected AWS keys, etc.).
Instruction Scope
SKILL.md and scripts instruct the agent to perform network requests to public APIs and web pages, save raw outputs to /tmp, and run Python-based parsers to generate reports. They do not request arbitrary local files, but they may invoke installed CLIs (gh, xreach) which could access locally stored credentials. The scripts also route some fetches through the r.jina.ai proxy (see code) which means query contents are sent to that third party — this is expected for scraping but is a privacy consideration.
Install Mechanism
There is no install step in the registry metadata; the skill is instruction+script only. All code is included in the package (no external archive downloads or install URLs).
Credentials
The skill declares no required environment variables or credentials, which matches the code. However, it conditionally calls local CLIs (gh, xreach, yt-dlp) if present; these CLIs may use the user's existing auth tokens/config (e.g., GH token), so running the scripts could cause those tokens to be used to access APIs. Also, routing requests via r.jina.ai sends your search queries and fetched page contents to that third party — consider this when researching sensitive topics.
Persistence & Privilege
The registry flags show no elevated persistence (always=false). The skill does not alter other skills' configs or request permanent platform privileges. It writes output to /tmp and a configured output_dir but does not embed itself into agent configuration.
Assessment
This skill appears to do what it says (collect public web data and build reports) but take these precautions before enabling it: 1) Review the included scripts yourself (they are present in the package) and run them in an isolated environment if possible. 2) Be aware that some requests are proxied via r.jina.ai — your queries and scraped page contents will go to that third party. If that is unacceptable, modify the code to call target sites directly. 3) If you have gh/xreach/yt-dlp installed, those CLIs will be invoked and may use your existing credentials — remove/uninstall or ensure credentials are limited if concerned. 4) The tool saves raw data under /tmp (or configured output_dir); clear sensitive outputs after use. 5) Avoid researching or inputting sensitive or confidential topics that you would not want transmitted to external services. If you want higher assurance, run the scripts offline or behind a controlled proxy and audit the full (untruncated) source before use.Like a lobster shell, security has layers — review code before you run it.
latestvk975f25d0483j84bkhfqbc6tjh83n0f8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.