by 安全扫描
OpenClaw
可疑
high confidenceNULL
评估建议
Key things to check before installing:
- Credential mismatch: SKILL.md says "需要配置 Brave Search API 密钥" but the registry metadata declares no required env vars — confirm whether you must provide a Brave Search API key (or other search credentials) and where to store it. Do not paste secrets into free-text fields.
- Missing file: SKILL.md references scripts/compare-jobs.py but that file is not present. Ask the author why and request the missing file or an explanation of how job comparison will be ...详细分析 ▾
ℹ 用途与能力
Name/description (monitor GIS/测绘 校招) aligns with the included scripts that generate reports and assemble job lists. However SKILL.md says a Brave Search API key is required and that the skill will use platform tools (web_search, browser, dingtalk-cron-job) — the registry metadata lists no required env vars or credentials and no explicit dependency list. Also SKILL.md references a compare-jobs script that is not present in the file manifest. These mismatches suggest incomplete/misaligned packaging.
⚠ 指令范围
SKILL.md instructs the agent to perform network searches (web_search / Brave Search API) and browser-based scraping and to create scheduled pushes via dingtalk-cron-job. The included Python scripts, however, are largely offline/simulated (search-jobs.py returns sample data and documents assemble local content) and do not implement real network scraping; there is also a reference to scripts/compare-jobs.py in SKILL.md but no such file in the package. The instructions also direct writing to local files (references/latest-jobs.md) and creating scheduled deliveries to a Dingtalk channel — those are normal for this use case but grant the skill the ability to read, write, and transmit job data and to create scheduled messages. The agent instructions mention an external API key (Brave Search) but that credential is not declared in metadata.
✓ 安装机制
There is no install spec (instruction-only skill with some scripts). That is low-risk compared to arbitrary download/install steps. However the Python scripts import python-docx (module 'docx') which is not declared in metadata — the skill implicitly requires this dependency to run but doesn't declare how to install it.
⚠ 凭证需求
The SKILL.md explicitly says a Brave Search API key is required, but the skill metadata lists no required env vars or primary credential. The package therefore omits declaring a credential the instructions require. The scripts themselves don't read env vars, but runtime behavior (web_search, Brave API, dingtalk delivery) will require credentials or platform tooling. This mismatch is disproportionate and could lead to unexpected prompts/requests for secrets at runtime.
ℹ 持久化与权限
The skill is not always-enabled and uses normal autonomous invocation. It writes output files to local paths in the package (examples: /tmp/openclaw/... and /root/.openclaw/workspace/...), which implies it expects write access to those locations (writing into /root suggests an expectation of root or specific environment). It also instructs creating scheduled tasks via the platform's cron tool and delivery via a Dingtalk channel, which are legitimate but mean the skill can be scheduled to run and send external messages if permitted by the platform.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/26
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install gis-job-monitor
镜像加速npx clawhub@latest install gis-job-monitor --registry https://cn.longxiaskill.com