Scan Report
5 /100
trend-radar
Real-time trending topics aggregator across 7 platforms (X/Twitter, Reddit, Google Trends, Hacker News, Zhihu, Bilibili, Weibo)
A legitimate trend aggregation skill that makes network requests to 7 public platforms, with subprocess usage fully declared in SKILL.md and no hidden functionality.
Safe to install
No action needed. The skill is safe to use.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | Undeclared file write via --save flag Doc Mismatch | scripts/trends.py:280 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | READ+WRITE | ✓ Aligned | trends.py:280 writes to ~/.openclaw/; scheduler.py manages crontab files |
| Network | NONE | READ | ✓ Aligned | All 7 source fetchers (bilibili.py, twitter.py, etc.) use urllib to read public … |
| Shell | WRITE | WRITE | ✓ Aligned | scheduler.py:23-32 uses subprocess to run crontab; trends.py runs python3 — all … |
| Environment | NONE | NONE | — | No os.environ iteration found |
| Skill Invoke | NONE | NONE | — | No inter-skill invocation |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser automation |
| Database | NONE | NONE | — | No database access |
1 High 37 findings
High IP Address 硬编码 IP 地址
120.0.0.0 scripts/sources/bilibili.py:20 Medium External URL 外部 URL
https://img.shields.io/badge/ClawHub-trend--radar-blue README.md:3 Medium External URL 外部 URL
https://clawhub.ai README.md:3 Medium External URL 外部 URL
https://img.shields.io/badge/python-3.9%2B-brightgreen README.md:4 Medium External URL 外部 URL
https://python.org README.md:4 Medium External URL 外部 URL
https://img.shields.io/badge/dependencies-zero-orange README.md:5 Medium External URL 外部 URL
https://img.shields.io/badge/license-MIT-green README.md:6 Medium External URL 外部 URL
https://openclaw.ai README.md:10 Medium External URL 外部 URL
https://trends24.in README.md:16 Medium External URL 外部 URL
https://tophub.today README.md:20 Medium External URL 外部 URL
https://img.shields.io/badge/依赖-零-orange README_zh.md:5 Medium External URL 外部 URL
https://api.bilibili.com/x/web-interface/ranking/v2 scripts/sources/bilibili.py:14 Medium External URL 外部 URL
https://api.bilibili.com/x/web-interface/popular?ps= scripts/sources/bilibili.py:15 Medium External URL 外部 URL
https://s.search.bilibili.com/main/suggest?term=&main_ver=v1 scripts/sources/bilibili.py:16 Medium External URL 外部 URL
https://www.bilibili.com scripts/sources/bilibili.py:22 Medium External URL 外部 URL
https://www.bilibili.com/video/ scripts/sources/bilibili.py:89 Medium External URL 外部 URL
https://search.bilibili.com/all?keyword= scripts/sources/bilibili.py:124 Medium External URL 外部 URL
https://trends.google.com/trending/rss?geo= scripts/sources/google.py:9 Medium External URL 外部 URL
https://hacker-news.firebaseio.com/v0/topstories.json scripts/sources/hackernews.py:10 Medium External URL 外部 URL
https://hacker-news.firebaseio.com/v0/item/ scripts/sources/hackernews.py:11 Medium External URL 外部 URL
https://news.ycombinator.com/item?id= scripts/sources/hackernews.py:52 Medium External URL 外部 URL
https://www.reddit.com/r/popular.rss scripts/sources/reddit.py:13 Medium External URL 外部 URL
https://www.reddit.com/r/popular/hot.json scripts/sources/reddit.py:14 Medium External URL 外部 URL
https://reddit.com scripts/sources/reddit.py:112 Medium External URL 外部 URL
https://trends24.in/ scripts/sources/twitter.py:10 Medium External URL 外部 URL
https://x.com/search?q= scripts/sources/twitter.py:131 Medium External URL 外部 URL
https://weibo.com/ajax/side/hotSearch scripts/sources/weibo.py:14 Medium External URL 外部 URL
https://s.weibo.com/top/summary scripts/sources/weibo.py:15 Medium External URL 外部 URL
https://weibo.com/ scripts/sources/weibo.py:53 Medium External URL 外部 URL
https://s.weibo.com/weibo?q=%23 scripts/sources/weibo.py:80 Medium External URL 外部 URL
https://s.weibo.com scripts/sources/weibo.py:120 Medium External URL 外部 URL
https://www.zhihu.com/api/v3/feed/topstory/hot-lists/total scripts/sources/zhihu.py:15 Medium External URL 外部 URL
https://www.zhihu.com/hot scripts/sources/zhihu.py:16 Medium External URL 外部 URL
https://tophub.today/n/mproPpoq6O scripts/sources/zhihu.py:17 Medium External URL 外部 URL
https://www.zhihu.com/ scripts/sources/zhihu.py:23 Medium External URL 外部 URL
https://www.zhihu.com/question/ scripts/sources/zhihu.py:63 Medium External URL 外部 URL
https://www\.zhihu\.com/question/\d+ scripts/sources/zhihu.py:125 File Tree
15 files · 52.1 KB · 1775 lines Python 10f · 1426L
Markdown 3f · 340L
JSON 2f · 9L
├─
▾
scripts
│ ├─
▾
sources
│ │ ├─
__init__.py
Python
│ │ ├─
bilibili.py
Python
│ │ ├─
google.py
Python
│ │ ├─
hackernews.py
Python
│ │ ├─
reddit.py
Python
│ │ ├─
twitter.py
Python
│ │ ├─
weibo.py
Python
│ │ └─
zhihu.py
Python
│ ├─
scheduler.py
Python
│ └─
trends.py
Python
├─
_meta.json
JSON
├─
package.json
JSON
├─
README_zh.md
Markdown
├─
README.md
Markdown
└─
SKILL.md
Markdown
Dependencies 3 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
urllib | stdlib | python3 | No | Python standard library only |
json | stdlib | python3 | No | Python standard library only |
subprocess | stdlib | python3 | No | Used only for crontab and python3 invocation — declared in SKILL.md |
Security Positives
✓ Zero external Python dependencies — uses only stdlib (urllib, json, re, concurrent.futures)
✓ No credential harvesting, no API key access, no environment variable enumeration
✓ All subprocess/shell usage is explicitly declared in SKILL.md (python3 scripts, crontab management)
✓ No base64, no eval(), no obfuscation
✓ All network targets are legitimate public APIs (Twitter, Reddit, Google Trends, HN Firebase, Bilibili, Zhihu, Weibo)
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No persistence mechanisms beyond the user-initiated cron scheduling (which is declared)
✓ No hidden HTML comments or steganographic payloads