📦 OEE Social Research — 社媒分层速研
v1.0.0无需 API Key,即可对 Twitter 及全网源进行三级深度挖掘,自动提取关键信息并生成结构化简报,一键输出洞察。
0· 707·0 当前·0 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
What to consider before installing:
- Prompt-injection: The SKILL.md contains hidden Unicode/control characters (scanner flagged this). These can be used to hide instructions or influence agent behavior — inspect the raw SKILL.md (bytes) and remove unexpected control characters before trusting the skill.
- Privacy: The skill logs queries and usage to .logs and caches results in .cache and writes briefings to .briefings in the skill directory. If you will search sensitive topics, run this in a di...详细分析 ▾
✓ 用途与能力
Name/description match the code: the package implements tiered Twitter/X retrieval (FxTwitter), web search fallbacks, and browser scraping as described. It does not request unrelated cloud credentials or system-level access. Minor mismatch: the code imports ravens.fxtwitter via package-style import; this is likely coherent given the included __init__.py, but could break depending on install layout.
⚠ 指令范围
SKILL.md instructs agents to run the included script and does not ask for unrelated system files, but the pre-scan flagged 'unicode-control-chars' in SKILL.md (hidden/control characters) which can be used for prompt-injection or to hide instructions. The code writes logs (.logs/usage-*.jsonl) and cached queries (.cache/*.json) in the skill directory and will store full query text — a privacy risk. The instructions and code also perform remote network requests to many public/third-party endpoints (FxTwitter, SearXNG instances, DuckDuckGo HTML, various nitter instances).
✓ 安装机制
There is no install spec (instruction-only with bundled code), so nothing is downloaded/installed during install. This lowers install-time risk. However, the runtime performs many outbound HTTP(S) requests to third-party instances (some are public/community endpoints), which is an operational risk rather than an installer risk.
ℹ 凭证需求
The skill declares no required env vars but the code optionally reads BRAVE_API_KEY for Brave Search; that is reasonable for an optional enhancement. No other secrets/credentials are requested. Concerning: query text and usage metadata are logged to disk in .logs and cached in .cache (may include sensitive search terms), and the skill may try to enrich search hits by calling external services, so sensitive inputs could be transmitted to remote hosts.
ℹ 持久化与权限
The skill does not request always:true and does not modify other skills. It persists data locally under the skill directory (.cache, .logs, .briefings), which is expected for caching/briefings but can hold sensitive data. Autonomous invocation is permitted (platform default); combined with logging and external network access this expands blast radius but is not a standalone error.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/14
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install oee-social-research
镜像加速npx clawhub@latest install oee-social-research --registry https://cn.longxiaskill.com✓ 镜像可用