← 返回 Skills 市场

Competitor Radar

Name: Competitor Radar
Author: xiaohuaishu

作者 xiaohuaishu · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

363

总下载

当前安装

版本数

在 OpenClaw 中安装

/install competitor-radar

功能描述

竞品动态监控雷达。自动抓取竞品博客RSS、GitHub Release、HackerNews讨论，用AI评分筛选重要动态，生成结构化报告。当需要了解竞品最新动向、监控行业变化时使用。

使用说明 (SKILL.md)

Competitor Radar 🎯

自动监控竞品动态，生成结构化分析报告。

配置竞品

编辑 config.yaml，添加你要监控的竞品：

competitors:
  - name: "竞品名称"
    domain: "example.com"
    blog_rss: "https://example.com/rss.xml"
    github_org: "github-org-name"
    keywords: ["关键词1", "关键词2"]

使用方法

# 扫描过去7天
python3 radar.py

# 扫描过去14天，保存报告
python3 radar.py --days 14 --output report.md

# 跳过AI评分（更快）
python3 radar.py --no-ai

# 使用自定义配置
python3 radar.py --config /path/to/my-config.yaml

数据来源

官网博客 RSS Feed
GitHub Release / Tag
HackerNews 提及

输出格式

Markdown 报告，按重要性分级（🔴重要 / 🟡值得关注 / ⚪一般）

安全使用建议

Do not install or run this skill without review. The code contains a hard-coded LLM API key and local LLM endpoint (embedded secret) and also uses an optional GITHUB_TOKEN environment variable that is not documented. This is suspicious because secrets should not be hard-coded in distributed code. Before using: (1) inspect radar.py and _write_radar.py yourself (or with a dev) and remove any embedded API keys, replacing them with environment-configured values; (2) supply your own LLM endpoint/key via environment variables or local config and confirm the endpoint is trusted; (3) be aware the script will make network requests to RSS feeds, api.github.com, hn.algolia.com and to the configured LLM endpoint; (4) if you do not control or recognize the embedded key, treat it as potentially compromised and do not expose sensitive data through the skill; (5) prefer running it in an isolated environment (non-privileged user, network-restricted) until you have sanitized the code. If you want, provide the full untruncated radar.py/_write_radar.py and I can point to the exact lines to change.

功能分析

Type: OpenClaw Skill Name: competitor-radar Version: 1.0.0 The skill bundle is a legitimate tool for monitoring competitor activities via RSS feeds, GitHub releases, and HackerNews. The logic in `radar.py` and the helper script `_write_radar.py` is transparent and aligns with the stated purpose in `SKILL.md`. While the code contains a hardcoded API key and references a local LLM proxy (127.0.0.1:18790), these appear to be environment-specific configurations for the OpenClaw platform rather than malicious artifacts. No evidence of data exfiltration, unauthorized file access, or prompt injection was found.

能力评估

⚠ Purpose & Capability

The stated purpose (monitor blogs, GitHub, HackerNews and produce reports) matches the code's fetching and reporting behavior, and requiring python3 is reasonable. However, the code embeds a hard-coded LLM API key and a local LLM endpoint (http://127.0.0.1:18790) directly in the scripts instead of using a declared/optional environment variable. Embedding a key in the code is disproportionate to the stated purpose and not documented in SKILL.md or requires.env.

⚠ Instruction Scope

SKILL.md only instructs running radar.py with an optional config and --no-ai, but the runtime code will call external services (GitHub API, hn.algolia, blogs) and a local LLM endpoint using a hard-coded API key. The instructions do not mention the LLM endpoint, the embedded API key, or optional env vars (e.g., GITHUB_TOKEN), so the runtime behavior is under-documented and gives the skill more network capability than the instructions disclose.

✓ Install Mechanism

No install spec; the skill is instruction-and-code-only and only requires python3 on PATH. This is low install risk because nothing is downloaded during install.

⚠ Credentials

The declared metadata lists no required environment variables, but the code optionally reads GITHUB_TOKEN and unambiguously contains a hard-coded LLM API key and endpoint in both radar.py and _write_radar.py. Requiring or shipping credentials in-code is not proportional: credentials should be optional and provided via environment variables or config, and any required tokens should be declared in the skill metadata.

✓ Persistence & Privilege

always is false and there are no install hooks or modifications to other skills or system-wide settings. The skill can be invoked by the agent autonomously (default), which is expected for skills; that alone is not a concern here.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install competitor-radar
安装完成后，直接呼叫该 Skill 的名称或使用 /competitor-radar 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

初始发布：自动监控竞品博客RSS、GitHub Release、HackerNews动态，AI评分筛选重要信息

元数据

Slug competitor-radar

版本 1.0.0

许可证 MIT-0

累计安装 1

当前安装数 0

历史版本数 1

常见问题