Monitors GitHub Trending and tech communities to track and analyze emerging tools in CLI, AI/ML, automation, and developer categories.
Security Analysis
medium confidenceThe skill mostly implements a GitHub Trending watcher and bookmarker (coherent with its name), but there are inconsistencies (unimplemented integrations mentioned in SKILL.md and a hardcoded user workspace path) that warrant caution before installing.
The code implements fetching GitHub Trending, filtering, analysis, and local bookmarking which fits the 'Trend Watcher' purpose. However SKILL.md claims integrations (Feishu documentation, 'daily memory files') that are not present in index.js, and the code hardcodes a workspace path (/home/vken/.openclaw/workspace) tied to a specific user—this mismatch suggests sloppy packaging or leftover dev configuration.
SKILL.md instructs the agent to run the tool and save bookmarks (with examples referencing a user-specified file), but the code reads/writes a hardcoded bookmarks file path. The skill performs network requests to github.com/trending and file I/O in the user's workspace; the instructions do not clearly document the exact file path or the network behavior, so the runtime actions are not fully disclosed in the SKILL.md.
No install specification is provided (instruction-only with a code file). There are no external downloads or package installs declared, so nothing is automatically written to disk beyond the included code and its normal runtime file I/O.
The skill requests no environment variables or credentials (good). Still, it performs filesystem writes/reads in a hardcoded user path and will write bookmark JSON to disk; this is a proportionate capability for a bookmarking tool but the hardcoded path and fixed username reduce transparency and portability.
The skill does not request elevated platform privileges or 'always' presence. Its persistence consists of writing/reading a bookmarks file in a workspace directory. It does not modify other skills or global agent settings.
Guidance
Before installing, consider: (1) review/confirm the hardcoded workspace path (/home/vken/.openclaw/workspace) — change it to a safe, explicit path or make it configurable so it doesn't accidentally write into your home directory; (2) the SKILL.md mentions Feishu and 'daily memory files' but the code does not implement those integrations — ask the author or inspect code for missing features; (3) the tool fetches GitHub Trending pages over HTTPS and writes bookmarks locally — run it in a sandbox or non-production account first and inspect the bookmark file contents to ensure no sensitive data is written; (4) because the packaging is sloppy (missing description/homepage, hardcoded username), prefer to get a clarified/cleaner release or the source repository before trusting it widely. If you need higher assurance, request the upstream repository or an explanation for the hardcoded path and the claimed Feishu integration.
Latest Release
v1.0.1
Version 1.0.1 Changelog - No file changes detected in this release. - All features, usage instructions, and integrations remain unchanged.
More by @guogang1024
Published by @guogang1024 on ClawHub
