← 返回 Skills 市场
social-media-analysis
作者
FrankieWay
· GitHub ↗
· v1.0.0
· MIT-0
110
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install social-media-analysis
功能描述
社交媒体舆情数据分析工具。从飞书多维表格读取 URL,下载媒体,分析内容,生成摘要。
安全使用建议
This skill appears to do what it says (read Feishu bitable, download social-media media, extract frames, and generate short analyses), but it has several practical and security gaps: (1) The registry metadata does not declare the environment variables and command-line tools the scripts actually use — APP_ID, APP_SECRET, BITABLE_URL, optional XHS_COOKIE, and binaries like node, yt-dlp, ffmpeg, and Playwright are required at runtime. (2) Although permissions list only open.feishu.cn, the scripts make many outbound requests to social-media domains and will download files to disk. Before installing, verify you trust the source and review the full scripts locally. Prefer running in an isolated environment (dedicated VM/container) and use a Feishu app with minimal scope (rotate/revoke credentials after testing). If you need tighter control, request the publisher to update registry metadata to list required env vars, required binaries, and all outbound hosts, and to explain the unspecified 'image' analysis step and any external model endpoints it may call.
功能分析
Type: OpenClaw Skill
Name: social-media-analysis
Version: 1.0.0
The skill contains critical shell injection vulnerabilities in scripts/parse-bilibili.js and scripts/parse-xiaohongshu.js, where unsanitized URLs retrieved from a Feishu Bitable are passed directly to execSync calls for yt-dlp. While these flaws allow for potential Remote Code Execution (RCE), they appear to be unintentional coding errors rather than intentional malware. Additionally, the SKILL.md file declares restricted network permissions (only open.feishu.cn) that do not align with the scripts' actual behavior of accessing multiple social media domains like douyin.com, weibo.cn, and xiaohongshu.com.
能力评估
Purpose & Capability
The skill's name/description (Feishu bitable → download media → produce summaries) align with the included scripts. However the registry metadata declares no required env vars or binaries while the SKILL.md and scripts clearly require APP_ID/APP_SECRET/BITABLE_URL, optionally XHS_COOKIE, and external tools (yt-dlp, ffmpeg, Playwright, node). That mismatch (metadata says nothing required, runtime asks for credentials and binaries) is an incoherence.
Instruction Scope
SKILL.md and the included scripts instruct the agent to fetch tenant access tokens (APP_ID/APP_SECRET) and call Feishu APIs (expected), but they also fetch content from many external domains (weibo, m.weibo.cn, xiaohongshu, Douyin/Toutiao/Bilibili) and run local downloads and media-processing (ffmpeg, yt-dlp, Playwright). The skill's declared network permission only lists open.feishu.cn, yet runtime will contact many other hosts. The instructions also call an unspecified image-analysis command ('image frame_001.jpg') and run Playwright browser automation — both grant broad discretion and network/file access. These behaviors are coherent with the stated purpose but the omitted network host declarations and unspecified image-analysis step are concerning and should be explicitly reviewed/approved.
Install Mechanism
There is no install spec (instruction-only), so nothing would automatically be downloaded/installed by the platform. That lowers install-time risk. However the scripts assume presence of several external binaries (node, yt-dlp, ffmpeg, Playwright) and will write downloaded media to disk; those dependencies are not declared in the registry metadata. Because install is manual, ensure required tools are installed from trusted sources before running.
Credentials
The runtime requires sensitive Feishu credentials (APP_ID/APP_SECRET) and optionally cookies for Xiaohongshu (XHS_COOKIE). Those are proportionate to a skill that reads and updates a Feishu bitable and fetches gated content, but the registry metadata did not list them as required — an information gap. Confirm you are comfortable providing Feishu app credentials (they grant tenant-level API access) and any site cookies; minimize scopes and use a dedicated account/app if possible.
Persistence & Privilege
The skill is not marked always:true and does not request persistent platform-level privileges. It will run as invoked and update records in the target Feishu bitable (expected behavior). Autonomous invocation is allowed (platform default) but not combined here with other high-risk flags.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install social-media-analysis - 安装完成后,直接呼叫该 Skill 的名称或使用
/social-media-analysis触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of social-media-analysis skill.
- Provides tools to analyze social media data from Feishu (Lark) Bitable views.
- Supports URL validity checks, media type detection (image/video), media downloading, and 5-second interval video frame extraction.
- Generates concise (≤100 characters) content summaries with emphasis on Xiaomi/Xiaoai mentions if detected.
- Includes platform-specific scripts for Douyin, Weibo, Toutiao, Bilibili, and Xiaohongshu.
- Batch processing, concurrent workers, content parsing length limits, and customizable field mappings are supported.
- Output includes a success flag for process completion status.
元数据
常见问题
social-media-analysis 是什么?
社交媒体舆情数据分析工具。从飞书多维表格读取 URL,下载媒体,分析内容,生成摘要。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 110 次。
如何安装 social-media-analysis?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install social-media-analysis」即可一键安装,无需额外配置。
social-media-analysis 是免费的吗?
是的,social-media-analysis 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
social-media-analysis 支持哪些平台?
social-media-analysis 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 social-media-analysis?
由 FrankieWay(@frankieway)开发并维护,当前版本 v1.0.0。
推荐 Skills