Zhihu Assistant

知乎热榜抓取与回答草稿生成助手 - 自动抓取知乎热榜，使用 AI 生成优质回答草稿，推送到飞书审核

This skill appears to do what it says, but review a few things before installing: - Sensitive credentials: the skill requires a Zhihu login cookie and an LLM API key. Only paste these into OpenClaw config and never commit them to a repository. Consider using a throwaway account or scope-limited API key if possible and rotate credentials after testing. - Verify cron behavior: SKILL.md claims scheduled tasks will be created automatically, but the provided install.sh does not create cron entries. If you rely on scheduling, either add cron jobs yourself or confirm how OpenClaw will schedule the skill. - Check the LLM endpoint: the code supports Kimi/Doubao and has multiple base_url defaults in different files; confirm the API endpoint you configure is the intended one and that you trust that provider. - Unnecessary dependencies: install.sh installs packages (openai, httpx) that the code doesn't use. This is not necessarily malicious, but it increases installed surface area—inspect and remove unused dependencies if you prefer a minimal environment. - OpenClaw CLI dependency: runtime code uses 'openclaw config get' via subprocess. Ensure the OpenClaw CLI is present and that you understand what config entries the skill will read. - Review the remainder of main.py (it was truncated here): ensure there are no hidden network calls or logic that would send collected data (cookies, drafts, logs) to unexpected third-party endpoints. If you want stronger assurance, run the skill in an isolated environment (VM or container) and monitor outbound network traffic during a test run. If you provide the full, untruncated main.py code I can re-check the remaining runtime behaviors and raise or lower my confidence accordingly.

Type: OpenClaw Skill Name: zhihu-assistant-skill Version: 0.1.1 The OpenClaw AgentSkills bundle for 'zhihu-assistant' appears benign. Its `install.sh` script performs standard setup tasks, including creating directories within the OpenClaw workspace, copying skill files, and installing Python dependencies (`pyyaml`, `requests`, `httpx`, `openai`). The `main.py` and module files implement the stated functionality of fetching Zhihu hot topics, generating AI answers using Kimi/Doubao API, and managing a review queue with Feishu notifications. Sensitive configurations like `zhihu_cookie` and `kimi_api_key` are explicitly requested and marked as `secret` in `config.schema.json`, and are used for the skill's core purpose (accessing Zhihu and AI services). There is no evidence of data exfiltration to unauthorized endpoints, malicious execution (e.g., `curl|bash` of untrusted sources), persistence mechanisms beyond OpenClaw's cron features, or prompt injection attempts against the OpenClaw agent itself. The use of `subprocess.run` in `main.py` to retrieve OpenClaw configuration is safe as the keys are hardcoded and not user-controlled, mitigating shell injection risks.