← 返回 Skills 市场
kongxiaodan20001201-alt

A real-time intelligence feed tracking the top 50 AI organizations and influencers globally.

作者 kongxiaodan20001201-alt · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
281
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install x-daily-report
功能描述
每日自动监控全球Top AI领域X/Twitter账号动态,生成结构化日报。包含重点动态推荐、完整活跃度总览、分层关注建议。支持免费无API爬虫模式和官方API模式,完全自动化无需人工干预。使用场景:(1) 每日8:30自动推送AI行业动态 (2) 监控特定账号最新动态 (3) 生成行业趋势报告 (4) 提到"X...
安全使用建议
This skill can produce the daily X/Twitter report it claims, but there are several red flags you should address before installing or running it: - Source verification: the skill owner is unknown and there is no homepage—prefer verified sources. - Embedded secrets: x-monitor.js hardcodes tokens and an X_API_KEY; treat these as potentially sensitive or stale and do not run code that contains untrusted secrets. Ask the author to remove hardcoded tokens and accept credentials via documented env vars or a secure vault. - Undeclared environment usage: the monitor uses process.env.FEISHU_ACCESS_TOKEN but the skill metadata lists no env vars—confirm which credentials are required and why. - Browser cookie access: the free scraper will attempt to reuse your Chrome session (scraper.useCookiesFromBrowser('chrome')). That allows the skill to access session cookies and act as you on X. Only run this in a controlled environment or avoid cookie reuse by using a throwaway account or the official API mode. - Dependency review: audit the '@the-convocation/twitter-scraper' package source and behavior (it may perform headless browser automation and filesystem access). - Run sandboxed: if you still want to try it, run it in an isolated environment (VM/container) with no sensitive browser profiles mounted, and avoid supplying real credentials until you've reviewed network calls and code. If the author can (1) remove hardcoded tokens, (2) document required env vars and external endpoints, and (3) provide an option that does not reuse local browser sessions, the risk would be significantly lower.
功能分析
Type: OpenClaw Skill Name: x-daily-report Version: 1.0.0 The skill bundle exhibits high-risk behavior by accessing sensitive local data. Specifically, `scripts/x-scraper-free.js` uses `scraper.useCookiesFromBrowser('chrome')` to extract session cookies from the user's browser to bypass X/Twitter API restrictions. While this aligns with the stated 'free scraping' functionality, it is a significant privacy risk. Additionally, `scripts/x-monitor.js` contains a hardcoded X API key (THp2c1V4bW5JQVJ1S09IY1BzN1NubDoxaXJpUQ), which constitutes a credential leak. There is no clear evidence of intentional exfiltration of the stolen cookies to a third-party server, placing it in the suspicious category rather than malicious.
能力评估
Purpose & Capability
The name/description (daily monitoring of X/Twitter accounts) generally matches the code (two scripts for a free scraper and an API-based monitor). However the code accesses external systems (Feishu/Bitable) and contains hardcoded tokens (BITABLE_APP_TOKEN, BITABLE_TABLE_ID, X_API_KEY) while the skill metadata declares no required environment variables, credentials, or config paths. The presence of Feishu/Bitable integration and embedded tokens is not explained in the SKILL.md or registry metadata.
Instruction Scope
SKILL.md tells users to run node scripts/x-scraper-free.js and edit scripts for API keys, and claims automatic reuse of a browser session, which the scraper implements (scraper.useCookiesFromBrowser('chrome')). The instructions do not disclose that the code will attempt to access local browser cookies/sessions or that x-monitor.js will call Feishu Bitable endpoints and expects FEISHU_ACCESS_TOKEN in the environment. The skill writes reports to disk and (per comments) may push to external services, but the push destinations and required credentials are not fully described.
Install Mechanism
No install spec in the registry (instruction-only), but package.json and dependencies exist (npm). Dependencies include an unvetted scraper package (@the-convocation/twitter-scraper) and axios. Installing these via npm is the likely required step; that is moderate risk because npm packages are third-party and may perform browser automation or network calls. No external archive downloads or short URLs are used in the package files.
Credentials
Metadata declares no required env vars, yet x-monitor.js references process.env.FEISHU_ACCESS_TOKEN and uses hardcoded service tokens (Bitable app token, X API key). The scraper relies on local browser cookies (implicit credential reuse) but the skill did not declare config paths or request permission. Hardcoded tokens and undeclared env usage are disproportionate/unexplained relative to the described purpose and are a privacy risk.
Persistence & Privilege
always:false and model invocation defaults are fine, but the skill intends to be scheduled (cron examples) and will read local browser session cookies via the scraper library (scraper.useCookiesFromBrowser('chrome')). That access to local browser state is a higher-privilege action that is not documented in metadata. The skill also writes daily reports to disk (local file write), which is expected, but combined with cookie access and undisclosed external endpoints increases risk.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install x-daily-report
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /x-daily-report 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
x-daily-report 1.0.0 - 首次发布,支持每日自动监控全球45个AI领域核心X/Twitter账号并生成结构化日报 - 提供免费无API爬虫模式和官方API模式,零成本可选高可用方案 - 日报输出涵盖重点动态推荐、账号活跃度总览、分层关注建议三大部分 - 默认每日8:30自动推送最新汇总,也支持自定义监控账号和推送时间 - 清晰目录结构及快速上手文档,便于安装和扩展
元数据
Slug x-daily-report
版本 1.0.0
许可证 MIT-0
累计安装 1
当前安装数 1
历史版本数 1
常见问题

A real-time intelligence feed tracking the top 50 AI organizations and influencers globally. 是什么?

每日自动监控全球Top AI领域X/Twitter账号动态,生成结构化日报。包含重点动态推荐、完整活跃度总览、分层关注建议。支持免费无API爬虫模式和官方API模式,完全自动化无需人工干预。使用场景:(1) 每日8:30自动推送AI行业动态 (2) 监控特定账号最新动态 (3) 生成行业趋势报告 (4) 提到"X... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 281 次。

如何安装 A real-time intelligence feed tracking the top 50 AI organizations and influencers globally.?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install x-daily-report」即可一键安装,无需额外配置。

A real-time intelligence feed tracking the top 50 AI organizations and influencers globally. 是免费的吗?

是的,A real-time intelligence feed tracking the top 50 AI organizations and influencers globally. 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

A real-time intelligence feed tracking the top 50 AI organizations and influencers globally. 支持哪些平台?

A real-time intelligence feed tracking the top 50 AI organizations and influencers globally. 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 A real-time intelligence feed tracking the top 50 AI organizations and influencers globally.?

由 kongxiaodan20001201-alt(@kongxiaodan20001201-alt)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论