📦 Ph

v1.1.0

wingmanAI 原生 ProductHunt 外联代理 —— 自动化社区发现、信息完善及 LinkedIn 互动。

0· 20·0 当前·0 累计

by @techievena (Abinash Senapati)

自动化测试工具智能体

下载技能包

最后更新

2026/4/19

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

可疑

medium confidence

该技能声明的用途（ProductHunt 外联 + LinkedIn 自动化）与所请求的大部分凭据相符，但运行指令要求克隆并执行远程设置脚本，启动一个持久本地服务器来保存你的 LinkedIn 凭据，并安排自主活动——这些行为存在风险，且无法从提供的技能包中进行审计。

评估建议

This skill asks the agent to download and run a remote repository and then host a persistent local service that will use your LinkedIn email/password and other API keys. Before installing, do the following: (1) Review the GitHub repository and the full contents of ./setup.sh and server code yourself (or have a trusted developer do so). (2) Prefer token/OAuth-based login instead of providing your LinkedIn password; ask the author if OAuth/session cookies can be used. (3) If you must test, run it ...

详细分析 ▾

✓ 用途与能力

Name/description align with required env vars: CRUSTDATA_API_KEY (discovery), OPENAI_API_KEY (message personalization), and LinkedIn credentials (auto-login/automation). Requiring a LinkedIn email/password is coherent with the stated goal of automated connection/DM lifecycles.

⚠ 指令范围

The SKILL.md instructs the agent to check a localhost API, and if missing, git-clone a remote repo into $HOME/.ph-wingman, run an opaque ./setup.sh, and start a background server (nohup). That server then performs scraping, enrichment, and LinkedIn actions (including joining/scraping groups). These instructions cause disk writes, execution of arbitrary remote code, long-lived background processes, and handling of sensitive credentials — none of which are auditable from this instruction-only package. The SKILL.md also asserts 'local-first' but offers no verifiable guarantees and references actions (group scraping) that can collect large amounts of personal data.

⚠ 安装机制

There is no formal install spec in the package; instead the runtime instructions instruct the agent to download code from https://github.com/techievena/producthunt-wingman and run ./setup.sh. Running an unreviewed setup script fetched at runtime is high risk because the script could perform arbitrary actions (install other packages, exfiltrate data, escalate privileges). The registry scan had no code to analyze, so the actual install-time behavior is unknown.

⚠ 凭证需求

The requested env vars are relevant to the feature set, but LINKEDIN_PASSWORD is highly sensitive and the skill requires storing/using it directly rather than using an OAuth/token-based approach. The declared primaryEnv is CRUSTDATA_API_KEY while the most sensitive credentials are LinkedIn credentials — this mismatch is noteworthy. The SKILL.md claims only Crustdata/OpenAI calls are external, but the opaque setup and persistent server create risk that credentials or scraped data could be transmitted elsewhere.

⚠ 持久化与权限

Although the skill metadata doesn't set always:true, the instructions create a long-lived background service, persistent browser profile, and recommended cron jobs. That results in durable, autonomous capability on the host with access to stored credentials and network connectivity — increasing the blast radius if the server or code is malicious or vulnerable.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv1.1.02026/4/19

**重大更新：推出全面的 ProductHunt 外联自动化代理。** - 自动化端到端 PH 社区建设、资料完善与 LinkedIn 互动。 - 提供完整设置与代理指令，实现零干预安装与运行管理。 - 新增仪表板集成，支持高级控制：潜在客户画像、自定义消息、定时发送等。 - 强调本地运行保护隐私；凭据与会话仅保存在本地。 - 内置数据隐私、反机器人检测与 API 额度限制保护。 - 支持基于 cron 的每日自动外联同步与报告。

● 可疑

安装命令

点击复制

官方npx clawhub@latest install ph-wingman

镜像加速npx clawhub@latest install ph-wingman --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库