Trend analyzes topics by monitoring popularity, sentiment changes, and providing early detection, comparison charts, and alerts with offline data storage.
Security Analysis
high confidenceThe package is a small local CLI that reads/writes files under your home dir and does not require credentials, but its advertised capabilities (monitoring, sentiment, alerts) and documented configuration do not match the actual script and there are minor inconsistencies (missing required binary, mismatched env var), so you should review/clarify before installing.
The skill description promises monitoring, popularity/sentiment tracking, early detection, charts and alerts. The included script only implements simple add/list/status/run/export functionality and basic history logging — no network monitoring, no sentiment analysis, no alerting or charting. This is a substantive capability mismatch.
SKILL.md directs the agent to use the CLI and says data is stored in ~/.local/share/trend/ and that TREND_DIR can change the data directory. The script actually uses XDG_DATA_HOME (or $HOME/.local/share) to set DATA_DIR and does not read a TREND_DIR env var — minor inconsistency but the script's file accesses are limited to its own data directory and do not touch unrelated system files.
No install spec (instruction-only plus a simple shell script) — nothing is downloaded or extracted from remote URLs. Risk from installation mechanism itself is low.
The skill declares no required env vars or credentials, which matches the script's lack of secret usage. However SKILL.md mentions TREND_DIR while the script uses XDG_DATA_HOME; SKILL.md also does not list python3 even though the script invokes python3 for JSON export. Missing declared dependency is a small proportionality/information problem.
always is false and the skill writes only to a per-user data directory under the invoking user's home. It does not request elevated privileges or modify other skill/system configs.
Guidance
This skill is a simple local CLI that creates and reads files in a per-user data directory (~/.local/share/trend/ by default). Before installing: 1) Note the big mismatch between the marketing (monitoring, sentiment, alerts, charts) and what the script actually does — it does not perform network monitoring or sentiment analysis. 2) If you need JSON export, ensure python3 is available (the script calls python3 but the metadata doesn’t declare it). 3) The README mentions TREND_DIR, but the script honors XDG_DATA_HOME instead — ask the author to clarify or fix the env-var/name mismatch. 4) Because the script only writes to your home directory and does not access secrets or the network, the direct safety risk is low, but the misleading description means this skill may not meet your expectations. If you need real monitoring/alerting, prefer a different, clearly specified tool or request the author provide the missing capabilities and correct metadata.
Latest Release
v1.0.2
Standards compliance: unique content, no template text
More by @xueyetianya
Published by @xueyetianya on ClawHub
