← 返回 Skills 市场
540
总下载
0
收藏
5
当前安装
1
版本数
在 OpenClaw 中安装
/install weibo-trending
功能描述
微博多频道热搜数据采集与可视化 | Weibo Multi-Channel Hot Search Data Collection & Visualization 支持热搜总榜、社会榜、文娱榜、生活榜同时抓取 | Supports hot search, social, entertainment, life ch...
安全使用建议
This package mostly does what it claims (collect Weibo hot-search items, save to a SQLite DB, and create an HTML report), but there are notable concerns you should address before running it:
- The scripts rely on an external CLI 'openclaw browser' to open pages and capture snapshots, but SKILL.md and the manifest do not declare this dependency. Ensure you have 'openclaw' installed from a trusted source before using the scripts.
- The fetcher uses subprocess.run with shell=True to execute commands like: openclaw browser open --profile openclaw '{url}'. Those commands include URLs and other strings derived from parsed page snapshots. If an attacker can influence snapshot output (or if a malformed URL contains shell metacharacters), this can lead to command injection. Consider running the tool only in an isolated environment (VM/container) and inspect/clean inputs first.
- If you plan to use this skill: (1) Review and/or modify fetch-hot-search.py and fetch-topic-content to avoid shell=True and to pass command arguments as lists to subprocess.run; (2) sanitize or validate any URL or title data before embedding into shell commands; (3) explicitly document and verify the 'openclaw' dependency in SKILL.md; (4) run initial tests with a non-privileged user and in a sandbox; (5) consider adding explicit warnings in SKILL.md about the browser dependency and security considerations.
If you want higher assurance, ask the author to declare the 'openclaw' dependency and to replace shell invocations with safe APIs or subprocess argument lists and to add input sanitization. Without those changes, treat the skill as potentially risky on sensitive hosts.
功能分析
Type: OpenClaw Skill
Name: weibo-trending
Version: 1.0.0
The skill bundle provides legitimate functionality for scraping and visualizing Weibo hot search data, but it contains critical security vulnerabilities. Specifically, 'scripts/fetch-hot-search.py' uses 'subprocess.run' with 'shell=True' to process URLs parsed directly from external web content, which creates a significant shell injection risk. Additionally, 'scripts/query.py' uses string formatting to construct SQL queries, introducing a potential SQL injection vector. While these appear to be unintentional coding flaws rather than intentional malice, they constitute high-risk behaviors that could be exploited by malicious content on the scraped pages.
能力评估
Purpose & Capability
The project claims to be a Weibo hot-search collector/visualizer and the included scripts implement that. However the runtime code relies heavily on an external 'openclaw' browser CLI (used to open pages and obtain snapshots) but the skill metadata and SKILL.md do not declare this dependency. The lack of a declared required binary is an incoherence: a legitimate collector needs the browser CLI (or an HTTP client), so the missing declaration is unexpected.
Instruction Scope
SKILL.md documents how to run the Python scripts but never mentions the required 'openclaw' CLI or its security implications. The fetch scripts instruct the agent to run shell commands that open URLs and capture snapshots, then parse snapshot text to extract URLs and post content. That parsing output is later used to construct more shell commands — this expands scope beyond simple parsing and could lead to executing commands derived from external page content. The instructions are also silent about running in an isolated environment or validating inputs.
Install Mechanism
There is no install specification (instruction-only install), so nothing will be automatically downloaded or executed during install. That lowers installer risk. However the skill includes multiple code files that will be placed on disk; they will execute local subprocesses at runtime.
Credentials
The skill requests no environment variables or credentials, and stores data in a local SQLite DB and HTML file. The requested access is proportionate to the described purpose.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It writes only to its own data/ directory and DB; it doesn't modify other skills or system-wide configs.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install weibo-trending - 安装完成后,直接呼叫该 Skill 的名称或使用
/weibo-trending触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Multi-channel Weibo hot search collector with HTML visualization
元数据
常见问题
微博热搜采集 | Weibo Hot Search 是什么?
微博多频道热搜数据采集与可视化 | Weibo Multi-Channel Hot Search Data Collection & Visualization 支持热搜总榜、社会榜、文娱榜、生活榜同时抓取 | Supports hot search, social, entertainment, life ch... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 540 次。
如何安装 微博热搜采集 | Weibo Hot Search?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install weibo-trending」即可一键安装,无需额外配置。
微博热搜采集 | Weibo Hot Search 是免费的吗?
是的,微博热搜采集 | Weibo Hot Search 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
微博热搜采集 | Weibo Hot Search 支持哪些平台?
微博热搜采集 | Weibo Hot Search 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 微博热搜采集 | Weibo Hot Search?
由 noah(@noah-1106)开发并维护,当前版本 v1.0.0。
推荐 Skills