PHP
v1.1.0wingmanAI 原生 ProductHunt 推广代理 — 自动化社区发现、数据增强和 LinkedIn 交互。
0· 20·0 当前·0 累计
by 下载技能包
最后更新
2026/4/19
安全扫描
OpenClaw
可疑
medium confidence该技能声明的目的(ProductHunt 推广 + LinkedIn 自动化)与大多数请求的凭证相匹配,但运行时指令需要克隆和运行远程设置脚本,启动一个持有您的LinkedIn凭证的持久本地服务器,并安排自主活动——这种行为存在风险,并且无法从提供的技能包中进行审计。
评估建议
This skill asks the agent to download and run a remote repository and then host a persistent local service that will use your LinkedIn email/password and other API keys. Before installing, do the following: (1) Review the GitHub repository and the full contents of ./setup.sh and server code yourself (or have a trusted developer do so). (2) Prefer token/OAuth-based login instead of providing your LinkedIn password; ask the author if OAuth/session cookies can be used. (3) If you must test, run it ...详细分析 ▾
✓ 用途与能力
Name/description align with required env vars: CRUSTDATA_API_KEY (discovery), OPENAI_API_KEY (message personalization), and LinkedIn credentials (auto-login/automation). Requiring a LinkedIn email/password is coherent with the stated goal of automated connection/DM lifecycles.
⚠ 指令范围
The SKILL.md instructs the agent to check a localhost API, and if missing, git-clone a remote repo into $HOME/.ph-wingman, run an opaque ./setup.sh, and start a background server (nohup). That server then performs scraping, enrichment, and LinkedIn actions (including joining/scraping groups). These instructions cause disk writes, execution of arbitrary remote code, long-lived background processes, and handling of sensitive credentials — none of which are auditable from this instruction-only package. The SKILL.md also asserts 'local-first' but offers no verifiable guarantees and references actions (group scraping) that can collect large amounts of personal data.
⚠ 安装机制
There is no formal install spec in the package; instead the runtime instructions instruct the agent to download code from https://github.com/techievena/producthunt-wingman and run ./setup.sh. Running an unreviewed setup script fetched at runtime is high risk because the script could perform arbitrary actions (install other packages, exfiltrate data, escalate privileges). The registry scan had no code to analyze, so the actual install-time behavior is unknown.
⚠ 凭证需求
The requested env vars are relevant to the feature set, but LINKEDIN_PASSWORD is highly sensitive and the skill requires storing/using it directly rather than using an OAuth/token-based approach. The declared primaryEnv is CRUSTDATA_API_KEY while the most sensitive credentials are LinkedIn credentials — this mismatch is noteworthy. The SKILL.md claims only Crustdata/OpenAI calls are external, but the opaque setup and persistent server create risk that credentials or scraped data could be transmitted elsewhere.
⚠ 持久化与权限
Although the skill metadata doesn't set always:true, the instructions create a long-lived background service, persistent browser profile, and recommended cron jobs. That results in durable, autonomous capability on the host with access to stored credentials and network connectivity — increasing the blast radius if the server or code is malicious or vulnerable.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.1.02026/4/19
**主要更新:引入全面的ProductHunt外联自动化代理。** - 自动化PH社区建设、个人资料丰富和LinkedIn互动的端到端流程。 - 提供详细的设置和代理说明,实现无人值守的安装和运行管理。 - 添加仪表盘集成,提供高级控制:潜在客户基因组、自定义消息、调度等。 - 强调本地执行以保护隐私;凭证和会话保持在您的机器上。 - 内置安全措施,保护数据隐私、防止反爬虫检测和API信用限制。 - 支持基于cron的自动化每日外联同步和报告。
● 可疑
安装命令
点击复制官方npx clawhub@latest install ph-wingman
镜像加速npx clawhub@latest install ph-wingman --registry https://cn.longxiaskill.com 镜像可用