A real-time intelligence feed tracking the top 50 AI organizations and influencers globally.

每日自动监控全球Top AI领域X/Twitter账号动态，生成结构化日报。包含重点动态推荐、完整活跃度总览、分层关注建议。支持免费无API爬虫模式和官方API模式，完全自动化无需人工干预。使用场景：(1) 每日8:30自动推送AI行业动态 (2) 监控特定账号最新动态 (3) 生成行业趋势报告 (4) 提到"X...

This skill can produce the daily X/Twitter report it claims, but there are several red flags you should address before installing or running it: - Source verification: the skill owner is unknown and there is no homepage—prefer verified sources. - Embedded secrets: x-monitor.js hardcodes tokens and an X_API_KEY; treat these as potentially sensitive or stale and do not run code that contains untrusted secrets. Ask the author to remove hardcoded tokens and accept credentials via documented env vars or a secure vault. - Undeclared environment usage: the monitor uses process.env.FEISHU_ACCESS_TOKEN but the skill metadata lists no env vars—confirm which credentials are required and why. - Browser cookie access: the free scraper will attempt to reuse your Chrome session (scraper.useCookiesFromBrowser('chrome')). That allows the skill to access session cookies and act as you on X. Only run this in a controlled environment or avoid cookie reuse by using a throwaway account or the official API mode. - Dependency review: audit the '@the-convocation/twitter-scraper' package source and behavior (it may perform headless browser automation and filesystem access). - Run sandboxed: if you still want to try it, run it in an isolated environment (VM/container) with no sensitive browser profiles mounted, and avoid supplying real credentials until you've reviewed network calls and code. If the author can (1) remove hardcoded tokens, (2) document required env vars and external endpoints, and (3) provide an option that does not reuse local browser sessions, the risk would be significantly lower.

Type: OpenClaw Skill Name: x-daily-report Version: 1.0.0 The skill bundle exhibits high-risk behavior by accessing sensitive local data. Specifically, `scripts/x-scraper-free.js` uses `scraper.useCookiesFromBrowser('chrome')` to extract session cookies from the user's browser to bypass X/Twitter API restrictions. While this aligns with the stated 'free scraping' functionality, it is a significant privacy risk. Additionally, `scripts/x-monitor.js` contains a hardcoded X API key (THp2c1V4bW5JQVJ1S09IY1BzN1NubDoxaXJpUQ), which constitutes a credential leak. There is no clear evidence of intentional exfiltration of the stolen cookies to a third-party server, placing it in the suspicious category rather than malicious.