← 返回 Skills 市场
91
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install tdl-download-notify
功能描述
TDL 下载完成后自动通过 Server 酱微信通知,包含文件名和大小信息
安全使用建议
This skill's behavior is coherent with its stated purpose (running tdl and notifying via Server 酱), but there are several red flags you should address before installing or using it:
- Hard-coded SendKey: The script contains an embedded Server 酱 SendKey and will send file names, sizes, timestamps and the download directory to sctapi.ftqq.com using that key. If you do not control that SendKey, your download metadata will be sent to someone else. Ask the author to remove the embedded key and accept a SENDKEY via environment variable or configuration file.
- Metadata mismatch: The registry metadata does not declare required binaries or libraries, while SKILL.md says the script needs 'tdl' and the 'requests' Python package. Ensure tdl is installed and requests is available before running.
- Default paths and privileges: The default output_dir is /root/tdl_download. Consider changing this to a user-writable path and verify the agent will not gain access to unintended files.
- Data sent to third party: The notifications include file metadata. Confirm that you (or your organization) are comfortable with that metadata leaving your host and going to the Server 酱 account associated with the key.
Recommended actions before installing:
1) Replace the hard-coded SENDKEY with a required environment variable (and update registry metadata to declare it).
2) Confirm/own the SendKey (or provide your own) so notifications go to an account you control.
3) Update registry metadata to declare dependencies (tdl, requests) and the expected configuration paths.
4) Run the script in a sandbox or test environment first to confirm outputs and that only expected data is transmitted.
5) If you cannot verify/control the SendKey, do not install or run this skill — it would leak download metadata to a third party.
Given these issues (especially the embedded credential and metadata inconsistencies) I rate the package as suspicious rather than clearly benign; fixing the points above would move it toward benign.
功能分析
Type: OpenClaw Skill
Name: tdl-download-notify
Version: 1.0.0
The skill contains a hardcoded ServerChan API key (sctp6765tcomfljakjcquc4e7mdaman) in both SKILL.md and tdl_download_notify.py. This configuration causes metadata about the user's downloads—including filenames, sizes, and Telegram source URLs—to be sent to the owner of that specific key at sctapi.ftqq.com. While the behavior is consistent with the stated purpose of providing notifications, hardcoding a specific credential instead of using a placeholder or environment variable results in the exfiltration of user activity data to a third party.
能力评估
Purpose & Capability
The skill's stated purpose is to download Telegram content with tdl and notify via Server 酱 — the code implements exactly that. However the registry metadata lists no requirements while SKILL.md metadata declares python 'requests' and a 'tdl' binary; this mismatch suggests the package metadata is incomplete. More importantly, the script embeds a Server 酱 SendKey (sctp6765t...aman) rather than requiring the user to provide credentials, which is not proportionate to a downloader/notify helper and is unexpected for a third‑party integration.
Instruction Scope
Runtime instructions and the included script run the tdl binary, list and compare contents of a download directory, build file lists (names, sizes, modified times) and POST that information to the Server 酱 API using the embedded SendKey. Sending file metadata (file names, sizes, timestamps, directory path) to an external endpoint is effectively data exfiltration of metadata — acceptable only if the key belongs to the installer. SKILL.md also references local paths (/root/openclaw/...), but the script does not read those files; this discrepancy reduces clarity about where configuration should live.
Install Mechanism
No install spec is present (instruction-only plus a single script). That keeps disk writes limited to the included script and the tdl binary invocation; from an installation perspective this is low risk. Nothing is being downloaded/installed from arbitrary URLs by the skill.
Credentials
No required environment variables or primary credential are declared, yet the script hardcodes a Server 酱 SendKey. Best practice would be to require a SENDKEY env var (or other explicit configuration). The skill also assumes a default download directory (/root/tdl_download), which implies root paths and could cause permission/visibility issues. The number and nature of implicit credentials (embedded key) is disproportionate and undocumented in registry metadata.
Persistence & Privilege
always is false and the skill does not attempt to modify other skills or global agent settings. It will execute autonomously if the agent is allowed to invoke skills (the platform default), which is expected for this kind of helper.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install tdl-download-notify - 安装完成后,直接呼叫该 Skill 的名称或使用
/tdl-download-notify触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release — Telegram resource downloads with Server酱 WeChat notifications.
- Automatically sends WeChat notifications (file names and sizes) upon download completion.
- Supports both successful and failed download notifications.
- Tracks multiple downloaded files, providing detailed file info and statistics.
- Default and customizable download directories.
- Simple command-line usage plus OpenClaw integration.
- Requires TDL and Server酱 configuration.
元数据
常见问题
Tdl Download Notify 是什么?
TDL 下载完成后自动通过 Server 酱微信通知,包含文件名和大小信息. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 91 次。
如何安装 Tdl Download Notify?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install tdl-download-notify」即可一键安装,无需额外配置。
Tdl Download Notify 是免费的吗?
是的,Tdl Download Notify 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Tdl Download Notify 支持哪些平台?
Tdl Download Notify 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Tdl Download Notify?
由 Wade(@tang2606)开发并维护,当前版本 v1.0.0。
推荐 Skills