定时获取并推送每日、每周或每月 GitHub Trending 热门项目至钉钉群,支持测试和只获取模式。
Security Analysis
high confidenceThe skill does what it says (fetch GitHub Trending and push to DingTalk), but it embeds a hard-coded DingTalk webhook and provides no way for the installer to configure their own webhook, which is disproportionate and risky.
The name/description (push GitHub Trending to DingTalk) matches the code and SKILL.md: the script fetches trending pages, formats Markdown, and posts to a DingTalk webhook. However, the skill includes a specific hard-coded webhook URL inside the code rather than requiring the user to supply their own, which is unexpected for a push-notification integration.
SKILL.md simply instructs how to run the script and add a cron job and states '钉钉 Webhook: 已配置' without telling the user to configure their own webhook or pointing how to change it. The runtime instructions and code will send messages to the embedded webhook by default; the skill does not read or transmit any other local files or secrets, but the silent use of a third-party webhook is scope creep relative to the documentation.
There is no install spec; this is an instruction-only skill with an included Python script. Nothing is downloaded or written at install time, which reduces install-time risk.
The skill requests no environment variables, but embeds a full DingTalk webhook URL (including an access_token-like value) in plaintext. A well-scoped push skill would require the operator to provide their own webhook (env var or config file). Embedding someone else's webhook is disproportionate and could cause unexpected outbound posting or leak data to the webhook owner.
The skill does not request 'always: true', does not modify other skills or system settings, and runs only when invoked or via user-installed cron. There is no evidence of privilege escalation or permanent platform-wide changes.
Guidance
Do not install this skill as-is if you expect notifications to go to your DingTalk group. The script contains a hard-coded DingTalk webhook URL (an access token) which will cause all pushes to go to that webhook unless you edit the code. Recommended actions before use: 1) Inspect and replace DINGTALK_WEBHOOK in github-trending-daily.py with a webhook you control, or modify the script to read the webhook from an environment variable/config file. 2) If the embedded webhook is yours, consider rotating it (create a new webhook) and use the new token stored in a secure env var. 3) Review the script for any additional endpoints (it only calls GitHub and the DingTalk webhook). 4) If you cannot or do not want to edit the file, avoid installing — the author-controlled webhook could receive unexpected data. 5) Prefer skills that require you to provide credentials explicitly (via env or configuration) rather than embedding them in code.
Latest Release
v1.0.0
Initial release of github-trending-daily - Automatically fetches daily, weekly, or monthly GitHub Trending projects - Pushes trending lists to a specified DingTalk group - Supports dry-run and no-push modes for testing and customization - Provides sample crontab configurations for scheduled delivery - Customizable message format using Markdown - Includes troubleshooting tips and related skills references
More by @jiangzhiyu
Published by @jiangzhiyu on ClawHub
