技能详情(站内镜像,无评论)
作者:sam1337 @0xs4m1337
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.1.1
统计:⭐ 0 · 2.4k · 7 current installs · 7 all-time installs
⭐ 0
安装量(当前) 7
🛡 VirusTotal :可疑 · OpenClaw :可疑
Package:0xs4m1337/pinterest
安全扫描(ClawHub)
- VirusTotal :可疑
- OpenClaw :可疑
OpenClaw 评估
The skill generally does what it says (search and send Pinterest images) but has several mismatches and risky behaviors (undeclared environment variable, runtime pip install, and web-scraping instructions) that warrant caution before installing.
目的
The skill's name/description (search & send Pinterest images) matches the included code and instructions: it scrapes Pinterest pages, converts i.pinimg URLs to 'originals', and can use Pinterest OAuth for the official API. However the registry metadata claims no required env vars while the code and SKILL.md reference a PINTEREST_ACCESS_TOKEN for API calls (not declared), and the package is marked 'instruction-only' despite including a runnable…
说明范围
SKILL.md instructs the agent to navigate Pinterest pages, snapshot/screenshot pages, extract image URLs, and send image files directly via messaging. It also documents an API path requiring an access token. The instructions access environment state (PINTEREST_ACCESS_TOKEN) that is not declared in the skill metadata, and direct the agent to perform web scraping and file-sending operations which broaden data exfiltration risk compared with a sim…
安装机制
No install spec is provided in the registry, but the included script dynamically installs the 'httpx' Python package at runtime via subprocess.check_call([python, '-m', 'pip', 'install', ...]). Dynamic pip installation executes network code and writes packages to disk at runtime; this is higher-risk than a declared, reviewed install step and should be explicit in the manifest.
证书
The only credential the skill needs (per code and docs) is PINTEREST_ACCESS_TOKEN for API access, which is reasonable for OAuth operations. However the skill's metadata lists no required env vars (none declared), so the required access token is not declared up-front. That omission reduces transparency and makes it easy to miss that you must provide a secret to enable API features.
持久
The skill does not request always:true, does not modify other skills or system-wide settings, and is user-invocable only by default. It does perform network requests and may install a Python package at runtime, but it does not request persistent elevated privileges in the manifest.
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Pinterest」。简介:Search and browse Pinterest pins, get pin details, and send actual images to th…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/0xs4m1337/pinterest/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
暂无本地缓存内容,可在后台执行详情同步。