Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
公众号内容聚合
v1.0.0根据公众号名称或链接,归纳公众号定位和核心观点,帮用户选择关键词偏好并定时推送聚合内容。
⭐ 0· 77·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (WeChat public-account aggregation and scheduled push) align with the SKILL.md flow (search, summarize, propose keywords, push, optionally save). Declared dependencies (web_search, feishu_bitable_create_record, memory) are conceptually consistent with the purpose. However, the skill references storing records to Feishu even though no required environment variables or credential requirements are declared in the metadata — a transparency gap (the skill expects a feishu tool but doesn't state what credentials or access scope are needed).
Instruction Scope
Instructions tell the agent to perform web searches (百度) to summarize content, record user keyword preferences to Memory, and perform a daily push at 10:00. Two issues: (1) '每天10点' scheduling is specified but the SKILL.md does not explain how scheduling is implemented (no scheduler, no install step, no platform hook described) — this grants broad implicit autonomy or relies on platform behavior that isn't documented. (2) The skill will save data to an external system (Feishu) after user confirmation; the instructions do not specify what fields are sent, how much content, or whether content scraping might include copyrighted full-text. These are scope/privacy concerns.
Install Mechanism
Instruction-only skill with no install spec and no code files — this is low-risk from an installation perspective (nothing is written to disk).
Credentials
The SKILL.md depends on a feishu_bitable_create_record tool (external storage) and on Memory for persistent preferences, but the registry metadata lists no required env vars or primary credential. If Feishu integration requires API keys or tokens, the skill should state that. Not declaring required credentials reduces transparency and may hide data exfiltration paths (sensitive user data could be sent to Feishu or other endpoints).
Persistence & Privilege
always is false (good). The skill claims daily autonomous pushes, which implies persistent scheduling/autonomous invocation; this is permitted by platform defaults but is ambiguous here — the mechanism and user opt-in controls are not fully specified. Memory is used to store preferences; users should be aware this persists between sessions.
What to consider before installing
Before installing, confirm these points with the skill author or your platform administrator: (1) How is the daily '10:00' push implemented? Does the platform run a scheduler or will the skill trigger autonomously? You should be able to opt out of scheduled pushes. (2) What credentials/access does feishu_bitable_create_record require? Which Feishu site/app will receive your data and what exact fields are written? Verify and limit the scope (write-only, specific table) if possible. (3) Memory is used to store user keyword preferences — check retention and privacy policy and whether you can delete stored preferences. (4) The skill uses Baidu web searches and may aggregate third-party content — confirm whether full article text or only summaries/links are sent to external services. If you cannot get clear answers on scheduling and Feishu credential use, treat the skill with caution or avoid installing it.Like a lobster shell, security has layers — review code before you run it.
latestvk9700bhgs48jgh63dhmr8gyhkx83ns9h
License
MIT-0
Free to use, modify, and redistribute. No attribution required.