← Back to Skills Marketplace
540
Downloads
0
Stars
5
Active Installs
1
Versions
Install in OpenClaw
/install weibo-trending
Description
微博多频道热搜数据采集与可视化 | Weibo Multi-Channel Hot Search Data Collection & Visualization 支持热搜总榜、社会榜、文娱榜、生活榜同时抓取 | Supports hot search, social, entertainment, life ch...
Usage Guidance
This package mostly does what it claims (collect Weibo hot-search items, save to a SQLite DB, and create an HTML report), but there are notable concerns you should address before running it:
- The scripts rely on an external CLI 'openclaw browser' to open pages and capture snapshots, but SKILL.md and the manifest do not declare this dependency. Ensure you have 'openclaw' installed from a trusted source before using the scripts.
- The fetcher uses subprocess.run with shell=True to execute commands like: openclaw browser open --profile openclaw '{url}'. Those commands include URLs and other strings derived from parsed page snapshots. If an attacker can influence snapshot output (or if a malformed URL contains shell metacharacters), this can lead to command injection. Consider running the tool only in an isolated environment (VM/container) and inspect/clean inputs first.
- If you plan to use this skill: (1) Review and/or modify fetch-hot-search.py and fetch-topic-content to avoid shell=True and to pass command arguments as lists to subprocess.run; (2) sanitize or validate any URL or title data before embedding into shell commands; (3) explicitly document and verify the 'openclaw' dependency in SKILL.md; (4) run initial tests with a non-privileged user and in a sandbox; (5) consider adding explicit warnings in SKILL.md about the browser dependency and security considerations.
If you want higher assurance, ask the author to declare the 'openclaw' dependency and to replace shell invocations with safe APIs or subprocess argument lists and to add input sanitization. Without those changes, treat the skill as potentially risky on sensitive hosts.
Capability Analysis
Type: OpenClaw Skill
Name: weibo-trending
Version: 1.0.0
The skill bundle provides legitimate functionality for scraping and visualizing Weibo hot search data, but it contains critical security vulnerabilities. Specifically, 'scripts/fetch-hot-search.py' uses 'subprocess.run' with 'shell=True' to process URLs parsed directly from external web content, which creates a significant shell injection risk. Additionally, 'scripts/query.py' uses string formatting to construct SQL queries, introducing a potential SQL injection vector. While these appear to be unintentional coding flaws rather than intentional malice, they constitute high-risk behaviors that could be exploited by malicious content on the scraped pages.
Capability Assessment
Purpose & Capability
The project claims to be a Weibo hot-search collector/visualizer and the included scripts implement that. However the runtime code relies heavily on an external 'openclaw' browser CLI (used to open pages and obtain snapshots) but the skill metadata and SKILL.md do not declare this dependency. The lack of a declared required binary is an incoherence: a legitimate collector needs the browser CLI (or an HTTP client), so the missing declaration is unexpected.
Instruction Scope
SKILL.md documents how to run the Python scripts but never mentions the required 'openclaw' CLI or its security implications. The fetch scripts instruct the agent to run shell commands that open URLs and capture snapshots, then parse snapshot text to extract URLs and post content. That parsing output is later used to construct more shell commands — this expands scope beyond simple parsing and could lead to executing commands derived from external page content. The instructions are also silent about running in an isolated environment or validating inputs.
Install Mechanism
There is no install specification (instruction-only install), so nothing will be automatically downloaded or executed during install. That lowers installer risk. However the skill includes multiple code files that will be placed on disk; they will execute local subprocesses at runtime.
Credentials
The skill requests no environment variables or credentials, and stores data in a local SQLite DB and HTML file. The requested access is proportionate to the described purpose.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It writes only to its own data/ directory and DB; it doesn't modify other skills or system-wide configs.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install weibo-trending - After installation, invoke the skill by name or use
/weibo-trending - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Multi-channel Weibo hot search collector with HTML visualization
Metadata
Frequently Asked Questions
What is 微博热搜采集 | Weibo Hot Search?
微博多频道热搜数据采集与可视化 | Weibo Multi-Channel Hot Search Data Collection & Visualization 支持热搜总榜、社会榜、文娱榜、生活榜同时抓取 | Supports hot search, social, entertainment, life ch... It is an AI Agent Skill for Claude Code / OpenClaw, with 540 downloads so far.
How do I install 微博热搜采集 | Weibo Hot Search?
Run "/install weibo-trending" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is 微博热搜采集 | Weibo Hot Search free?
Yes, 微博热搜采集 | Weibo Hot Search is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does 微博热搜采集 | Weibo Hot Search support?
微博热搜采集 | Weibo Hot Search is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created 微博热搜采集 | Weibo Hot Search?
It is built and maintained by noah (@noah-1106); the current version is v1.0.0.
More Skills