📦 research-web-publisher — 调研报告网页发布
v1.0.0将调研结果一键渲染成图文HTML,自动推送到GitHub并生成国内可访问的预览链接,完成发布闭环。
0· 260·1 当前·1 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
Before installing, be aware this skill's instructions will: (1) expect to create/write HTML files in a specific local directory (~/.openclaw/.../workplace-doc/), (2) run git add/commit/push in a repo and thus require git and GitHub credentials, and (3) request automatic triggering on many keywords. The skill metadata does not declare git as a required binary nor any credential environment variables (e.g., GITHUB_TOKEN or SSH key), and it hardcodes a GitHub repo. Ask the publisher to: (a) remove ...详细分析 ▾
⚠ 用途与能力
The declared purpose (publish research HTML to GitHub and produce a domestic preview link) matches the textual instructions. However the SKILL.md explicitly requires running git operations and operating on a specific local output directory, yet the skill metadata lists no required binaries (git) and no credentials. The SKILL.md also hardcodes a GitHub repo (2239721014-ops/ai-hardwork-report) and a local path (~/.openclaw/.../workplace-doc/), which is unexpected for a generic publisher and may not belong to the user.
⚠ 指令范围
Instructions instruct the agent to read source file paths, write HTML into a specific output directory, run git add/commit/push in a repo path, and generate CDN/preview links. The SKILL.md also mandates automatic triggering on many keywords. These runtime steps imply access to the user's filesystem and Git remotes and the ability to push to repositories, but the skill gives no guidance about confirming user consent before pushing or how to authenticate.
✓ 安装机制
This is an instruction-only skill with no install spec and no code files, so there is nothing written to disk by an installer—this is low risk from an installation perspective.
⚠ 凭证需求
No environment variables or credentials are declared, yet git push to GitHub will typically require credentials (SSH keys, GITHUB_TOKEN, or username/password). The mismatch between required runtime capabilities and declared credentials is disproportionate and unexplained. Also the default remote repo is third-party-looking and not justified.
⚠ 持久化与权限
While the skill metadata does not set always:true, the SKILL.md explicitly requires the skill be automatically triggered on many user keywords. Allowing autonomous invocation combined with instructions to modify local files and push commits increases risk of unintended or repeated filesystem and network actions. The skill does not instruct to always request explicit user confirmation before pushing.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/15
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install research-web-publisher
镜像加速npx clawhub@latest install research-web-publisher --registry https://cn.longxiaskill.com