← 返回 Skills 市场
Trawl
作者
audsmith28
· GitHub ↗
· v1.0.2
2002
总下载
2
收藏
2
当前安装
3
版本数
在 OpenClaw 中安装
/install trawl
功能描述
Autonomous lead generation through agent social networks. Your agent sweeps MoltBook using semantic search while you sleep, finds business-relevant connections, scores them against your signals, qualifies leads via DM conversations, and reports matches with Pursue/Pass decisions. Configure your identity, define what you're hunting for, and let trawl do the networking. Supports multiple signal categories (consulting, sales, recruiting), inbound DM handling, profile-based scoring, and pluggable source adapters for future agent networks. Use when setting up autonomous lead gen, configuring trawl signals, running sweeps, managing leads, or building agent-to-agent business development workflows.
安全使用建议
This skill appears to do what it says: it searches MoltBook, scores profiles, opens/approves DMs, and stores leads locally. Before installing, consider: 1) Ensure you trust the MoltBook API and supply only the MOLTBOOK_API_KEY (keep it in ~/.clawdbot/secrets.env as instructed). 2) Confirm you have the required CLI tools (curl, jq, bc, column and standard date utilities) or the scripts will fail — the metadata does not declare these dependencies. 3) Review config.json especially auto_approve_inbound (defaults to false) to avoid auto-accepting inbound DMs unintentionally. 4) The skill writes state to ~/.config/trawl and reads ~/.clawdbot/secrets.env — verify those paths and the files before running. 5) The source is listed as unknown and there's no homepage; if provenance matters, prefer packages with a known author or repository. If you want higher confidence, ask the publisher for a canonical repo or signed release and/or run the scripts in a disposable environment first.
功能分析
Type: OpenClaw Skill
Name: trawl
Version: 1.0.2
The skill is classified as suspicious due to `jq` injection vulnerabilities found in `scripts/leads.sh` and `scripts/report.sh`. In both scripts, user-controlled filter variables (`STATE_FILTER`, `CAT_FILTER`) are directly interpolated into `jq` filter expressions without proper escaping (e.g., `select(.value.state == "$STATE_FILTER")`). This flaw could allow an attacker to inject arbitrary `jq` syntax, potentially leading to unauthorized disclosure or manipulation of data within the local `leads.json` or `last-sweep-report.json` files. While the external API interactions are handled more securely with URL encoding and safe JSON construction, this internal data processing vulnerability is a significant concern.
能力评估
Purpose & Capability
The skill claims to operate on MoltBook and only requests MOLTBOOK_API_KEY — that matches expectations. One minor inconsistency: the metadata lists no required binaries, but the shipped scripts clearly expect command-line tools (curl, jq, bc, column, date utilities). Declaring those would be appropriate.
Instruction Scope
SKILL.md and the scripts stick to the described lead-gen workflow: reading config (~/.config/trawl), reading the secrets file (~/.clawdbot/secrets.env) for MOLTBOOK_API_KEY, calling MoltBook endpoints, sending DM requests, and writing local state files (leads.json, seen-posts.json, conversations.json, sweep logs). There are no hidden external endpoints or attempts to read unrelated system credentials in the instructions.
Install Mechanism
There is no install spec (instruction-only with bundled scripts). That is low-risk from an installer perspective. Note: running setup.sh/sweep.sh will create files under ~/.config/trawl and read ~/.clawdbot/secrets.env — expected behavior for this tool but it will write to your home directory.
Credentials
Only MOLTBOOK_API_KEY is required and is justified by the MoltBook API usage. The scripts only read the declared secret (from the secrets.env path the README asks you to use) and local config files; they do not request unrelated cloud or platform credentials.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or system-wide agent settings. It persists its own local state under ~/.config/trawl, which is appropriate for its stated function.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install trawl - 安装完成后,直接呼叫该 Skill 的名称或使用
/trawl触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
v1.0.2: Removed personal data from example config
v1.0.1
Security fix: metadata.clawdbot.requires.env declaration + defensive secrets loading
v1.0.0
Initial release: MoltBook semantic sweep, profile scoring, DM qualifying pipeline, inbound lead handling, category-filtered reports
元数据
常见问题
Trawl 是什么?
Autonomous lead generation through agent social networks. Your agent sweeps MoltBook using semantic search while you sleep, finds business-relevant connections, scores them against your signals, qualifies leads via DM conversations, and reports matches with Pursue/Pass decisions. Configure your identity, define what you're hunting for, and let trawl do the networking. Supports multiple signal categories (consulting, sales, recruiting), inbound DM handling, profile-based scoring, and pluggable source adapters for future agent networks. Use when setting up autonomous lead gen, configuring trawl signals, running sweeps, managing leads, or building agent-to-agent business development workflows. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 2002 次。
如何安装 Trawl?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install trawl」即可一键安装,无需额外配置。
Trawl 是免费的吗?
是的,Trawl 完全免费(开源免费),可自由下载、安装和使用。
Trawl 支持哪些平台?
Trawl 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Trawl?
由 audsmith28(@audsmith28)开发并维护,当前版本 v1.0.2。
推荐 Skills