Description

全网热点聚合 - 微博/知乎/抖音/新闻热榜自动抓取，生成 AI 友好格式的每日热点日报

README (SKILL.md)

全网热点聚合技能

Name: Hotspot Aggregator
Author: linzmin

自动抓取各大平台热榜，生成 AI 友好的热点日报，让 AI 知道今天发生了什么！

🎯 功能特性

🔥 多平台热榜 - 微博/知乎/抖音/百度/36 氪等
📊 智能去重 - 合并相似热点
📝 AI 友好格式 - 结构化数据，AI 易解析
📅 定时生成 - 每日 8:00 自动发布
💬 对话建议 - 提供 AI 回应建议
📈 情绪分析 - 网友情绪倾向

📦 数据源

平台	更新频率	抓取数量	优先级
微博热搜	10 分钟	TOP50	⭐⭐⭐⭐⭐
知乎热榜	5 分钟	TOP50	⭐⭐⭐⭐⭐
抖音热榜	分钟级	TOP50	⭐⭐⭐⭐
百度热搜	实时	TOP50	⭐⭐⭐⭐
36 氪	小时级	TOP20	⭐⭐⭐⭐
虎嗅	小时级	TOP20	⭐⭐⭐
新华网	小时级	TOP10	⭐⭐⭐⭐

🚀 快速开始

1. 安装技能

clawhub install hotspot-aggregator

2. 配置（可选）

mkdir -p ~/.openclaw/hotspot
cat > ~/.openclaw/hotspot/config.json \x3C\x3C 'EOF'
{
  "sources": ["weibo", "zhihu", "douyin", "36kr"],
  "topN": 20,
  "notifyUser": "你的微信 [email protected]"
}
EOF

3. 使用

# 获取今日热点
hotspot-aggregator today

# 获取昨日热点
hotspot-aggregator yesterday

# 生成日报并发送
hotspot-aggregator daily-report

# 指定平台
hotspot-aggregator --source weibo,zhihu

📝 输出格式

Markdown 日报（给人看）

# 🔥 每日热点 - 2026-03-23

## 微博热搜 TOP10
1. 某明星离婚 🔥 讨论 500 万
2. 某公司发布新产品 📱 讨论 300 万
...

## 知乎热榜 TOP10
1. 如何评价 XXX 事件？
2. XXX 是什么体验？
...

JSON 数据（给 AI 看）

{
  "date": "2026-03-23",
  "sources": [
    {
      "name": "微博热搜",
      "items": [
        {
          "rank": 1,
          "title": "某明星离婚",
          "hot_value": 5000000,
          "keywords": ["离婚", "财产分割"],
          "sentiment": "吃瓜",
          "ai_suggestion": "保持中立，不站队"
        }
      ]
    }
  ]
}

🔧 技术实现

核心流程

1. 定时触发（每日 7:00）
   ↓
2. 并发抓取各平台热榜
   ↓
3. 数据清洗 + 去重
   ↓
4. 情绪分析 + 回应建议
   ↓
5. 生成 Markdown + JSON
   ↓
6. 发布到公众号 + 存入向量库
   ↓
7. AI 可以消费了！

抓取示例

// 微博热搜
async function fetchWeibo() {
  const rss = await fetch('https://rsshub.app/weibo/search/hot');
  const items = await parseRSS(rss);
  return items.slice(0, 50).map(item => ({
    rank: items.indexOf(item) + 1,
    title: item.title,
    hot_value: extractHotValue(item),
    url: item.link
  }));
}

// 知乎热榜
async function fetchZhihu() {
  const rss = await fetch('https://rsshub.app/zhihu/hotlist');
  const items = await parseRSS(rss);
  return items.slice(0, 50).map(item => ({
    rank: items.indexOf(item) + 1,
    title: item.title,
    answer_count: item.answer_count,
    url: item.link
  }));
}

📅 定时任务

每日 7:00 抓取

openclaw cron create \
  --schedule "0 7 * * *" \
  --command "hotspot-aggregator fetch"

每日 8:00 发布

openclaw cron create \
  --schedule "0 8 * * *" \
  --command "hotspot-aggregator publish"

🦆 AI 消费指南

如何引用热点

当用户提到热点事件时：

检索 - 从向量库查找相关热点
提取 - 获取关键信息（时间/地点/人物）
陈述 - 客观描述事实
建议 - 提醒核实信息

对话示例

用户："今天那个明星离婚的事你怎么看？"

AI 检索 → 匹配到"微博热搜#1"

AI 回复：
"看到了，今天微博热搜第一。目前已知信息：
- 双方已发布声明
- 涉及财产分割和孩子抚养
- 网友讨论约 500 万次

这件事比较复杂，建议等官方消息，
我们吃瓜就好，不要太站队～"

⚠️ 注意事项

信息准确性 - 提醒用户核实
敏感话题 - 不涉及政治敏感
情绪引导 - 保持客观中立
版权尊重 - 注明来源

📊 后续计划

v1.1（1 周后）

情绪分析增强
更多数据源
实时推送

v2.0（1 月后）

付费订阅 API
企业舆情监控
行业报告生成

许可证

MIT-0 License

Usage Guidance

What to consider before installing: - Hardcoded paths: The scripts write/read data to /home/lin/.openclaw/... (a specific developer home). On your machine this will likely fail or, worse, read/overwrite other users' or system files if that path exists. Expect to edit the scripts to use relative or configurable paths (use process.env.HOME or the skill's install directory consistently). - Messaging behavior: The report-sender constructs and runs an openclaw CLI command using a hardcoded bot account id and the notifyUser value. That means the skill will run shell commands on your system and attempt to send messages via your openclaw configuration. If notifyUser contains special characters, the constructed command could be abused for shell injection. Before running, sanitize/validate notifyUser and consider replacing execSync calls with safe programmatic APIs. - Missing dependency declarations: generate-daily-report.js uses require('deasync') but package.json has no dependencies. The skill may crash at runtime or prompt you to install extra modules. Review and add proper dependency declarations. - Privilege/scope mismatch: The skill does not request credentials but relies on the presence and configuration of the openclaw CLI and a messaging account. Confirm what account the CLI will use and whether you are comfortable the skill can trigger messages via your environment. - Mitigations: Inspect and edit the code before installation: fix hardcoded /home/lin paths to use a configurable data directory, remove or safely escape shell command construction, declare and install required Node dependencies in package.json, and confirm the openclaw account id and permissions. Run the skill in a sandbox/container or a throwaway account first. Given these mismatches and risks (file path assumptions, shell command construction, and undeclared deps), the skill is suspicious but not clearly malicious; manual code corrections and tighter runtime safety are recommended before use.

Capability Analysis

Type: OpenClaw Skill Name: ai-hotspot-daily Version: 1.0.0 The skill bundle contains a command injection vulnerability in 'scripts/generate-daily-report.js' where news headlines are passed to a shell command via 'execSync' with insufficient sanitization (only escaping double quotes). Additionally, both 'scripts/fetch-hotspots.js' and 'scripts/generate-daily-report.js' contain hardcoded absolute file paths (e.g., '/home/lin/...') which suggests poor portability and potential developer oversight. While the code appears to fulfill its stated purpose of aggregating news via RSSHub, the lack of input validation on external data makes it vulnerable to exploitation.

Capability Assessment

⚠ Purpose & Capability

The skill's name/description (hotspot aggregator) matches the code: it fetches RSS feeds, deduplicates, and generates reports. However, the runtime scripts write/read data to a hardcoded /home/lin/.openclaw/... path rather than relative or configurable locations, which is disproportionate and inconsistent with a general-purpose skill intended for arbitrary users. The package.json/install.sh imply installation under the skill directory or user home (~/.openclaw/hotspot), but the scripts persist data into another user's (or developer's) path — this mismatch is unexpected and suspicious.

⚠ Instruction Scope

The SKILL.md and scripts instruct network requests to public RSS endpoints (expected) but the code also reads/writes files in /home/lin/.openclaw/extensions/openclaw-weixin/skills/hotspot-aggregator/data (a location outside the skill bundle) and reads ~/.openclaw/hotspot/config.json. generate-daily-report.js also invokes the openclaw CLI to send messages. These file writes/reads and the arbitrary CLI invocation expand the scope beyond simple fetching/formatting and could interact with other OpenClaw components or users' environments.

ℹ Install Mechanism

This is an instruction-and-script skill (no remote download). install.sh creates ~/.openclaw/hotspot and sets script executable bits — low install risk. There is no network-based installer or download URL. However, package.json defines an install script which will run install.sh if npm install is used; that is expected but worth noting because it writes config files automatically.

⚠ Credentials

The skill declares no required env vars or credentials, yet it relies on: (1) availability of the openclaw CLI and its configured accounts, (2) a hardcoded messaging account id ('d72d5b576646-im-bot') used when sending messages, and (3) process.env.HOME in part but also a hardcoded /home/lin path in other parts. The messaging command is constructed using string interpolation with notifyUser inserted into a shell command (potential command-injection risk if notifyUser is attacker-controlled). Also the code requires 'deasync' at runtime but package.json has no dependencies listed — runtime failures or unexpected behavior may occur. Asking no credentials while using an internal CLI and hardcoded account is disproportionate and surprising.

⚠ Persistence & Privilege

always is false (good), and the skill does not declare privileged flags. However, the scripts write into /home/lin/.openclaw/extensions/openclaw-weixin/skills/... which is an area that may belong to other extensions or the platform; the skill could therefore create or overwrite files there. This file placement is unexpected for a skill and increases persistence/impact if misused. The skill does not modify other skills' configs explicitly, but the file path choice is concerning.

Version History

v1.0.0

hotspot-aggregator v1.0.0 初始发布 - 聚合微博、知乎、抖音、百度、36氪等平台热榜，每日自动生成热点日报。 - 提供结构化、AI 友好的输出格式（Markdown/JSON），包含情绪分析及对话建议。 - 支持定时抓取、去重、抓取配置和按平台筛选。 - 适用于个人、AI 对话助手、内容分析等场景。

Metadata

Slug ai-hotspot-daily

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Hotspot Aggregator?

全网热点聚合 - 微博/知乎/抖音/新闻热榜自动抓取，生成 AI 友好格式的每日热点日报. It is an AI Agent Skill for Claude Code / OpenClaw, with 122 downloads so far.

How do I install Hotspot Aggregator?

Run "/install ai-hotspot-daily" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Hotspot Aggregator free?

Yes, Hotspot Aggregator is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Hotspot Aggregator support?

Hotspot Aggregator is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Hotspot Aggregator?

It is built and maintained by linzmin (@linzmin); the current version is v1.0.0.

More Skills

Hotspot Aggregator