Scan Report
5 /100
smart-keepalive
定时抓取 RSS 热点并通过 OpenClaw 自动发送「保活简报 keepalive」,支持 openclaw agent 文案润色、可选作息附录,以及 launchd/cron 定时部署辅助。
The Smart Keepalive skill is a legitimate RSS aggregation and messaging pipeline for OpenClaw with no malicious behavior detected.
Safe to install
No action required. The skill is safe to use.
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | SKILL.md lacks explicit allowed-tools declaration | SKILL.md:1 |
| Low | subprocess.run with shell invocations not formally declared in SKILL.md | smart-keepalive.py:61 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | READ+WRITE | ✓ Aligned | smart-keepalive.py:143-148 writes config.json; logs written to ~/.openclaw/logs/ |
| Network | NONE | READ | ✓ Aligned | Fetches RSS from plink.anyfeeder.com, RSSHub instances, weather from autodev.ope… |
| Shell | NONE | WRITE | ✓ Aligned | subprocess.run calls openclaw agent/send for content generation and message deli… |
| Environment | NONE | READ | ✓ Aligned | Reads KEEPALIVE_* and OPENCLAW_* env vars; no iteration for secrets |
| Skill Invoke | NONE | READ | ✓ Aligned | Reads prompts/*.md template files for content generation |
| Database | NONE | NONE | — | No database access |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser access |
13 findings
Medium External URL 外部 URL
https://agentskills.io/skill-creation/best-practices SKILL.md:9 Medium External URL 外部 URL
https://rsshub.liumingye.cn SKILL.md:63 Medium External URL 外部 URL
https://rsshub.pseudoyu.com SKILL.md:64 Medium External URL 外部 URL
https://sshub.rssforever.com SKILL.md:65 Medium External URL 外部 URL
https://autodev.openspeech.cn/csp/api/v2.1/weather smart-keepalive.py:492 Medium External URL 外部 URL
https://api.bilibili.com/x/web-interface/ranking/v2 smart-keepalive.py:547 Medium External URL 外部 URL
https://www.bilibili.com/video/ smart-keepalive.py:566 Medium External URL 外部 URL
https://plink.anyfeeder.com/zaobao/realtime/china smart-keepalive.py:601 Medium External URL 外部 URL
https://plink.anyfeeder.com/zaobao/realtime/singapore smart-keepalive.py:605 Medium External URL 外部 URL
https://plink.anyfeeder.com/zaobao/realtime/world smart-keepalive.py:608 Medium External URL 外部 URL
https://plink.anyfeeder.com/wsj/cn smart-keepalive.py:611 Medium External URL 外部 URL
https://sspai.com/feed smart-keepalive.py:617 Medium External URL 外部 URL
https://rss.huxiu.com/ smart-keepalive.py:620 File Tree
6 files · 69.3 KB · 1762 lines Python 1f · 1511L
Markdown 4f · 213L
Shell 1f · 38L
├─
▾
prompts
│ ├─
rewrite-main.md
Markdown
│ ├─
status-footer.md
Markdown
│ └─
wellness.md
Markdown
├─
SKILL.md
Markdown
├─
smart-keepalive.py
Python
└─
smart-keepalive.sh
Shell
Security Positives
✓ No credential harvesting — skill only reads RSS/weather/B站 public APIs with no auth tokens
✓ No data exfiltration — all network output stays local (logged to file, sent via openclaw message)
✓ No hidden functionality — all behavior is traceable to documented RSS/API sources
✓ No sensitive path access — no ~/.ssh, ~/.aws, .env, or key files accessed
✓ No base64/eval/exec tricks, no remote script execution (curl|bash), no C2 indicators
✓ Script shell wrapper (smart-keepalive.sh) is minimal and well-auditable (38 lines)
✓ Proper timeout enforcement on subprocess calls prevents indefinite hangs
✓ Falls back to fixed template on agent failure rather than opaque behavior
✓ Input sanitization on URLs via urllib.parse.urlsplit and quote()