每日追踪并推送 X(x.com)热点话题新闻简报。用于用户要求“每天定时看 X 热点”“按指定话题抓取热门帖”“用 browser 方式监控 X 趋势”时。默认覆盖 AI、LLM、社会热点(中国/新加坡/美国)五个主题。重点输出“最低成本 know-what 版”:2 条必知 + 3 条可忽略 + 10 分钟行动,帮助用户抗 FOMO,而不是只罗列标题。
Security Analysis
medium confidenceSkill is coherent with scraping X via a browser, but it implicitly requires access to a Chrome profile (cookies/session) without declaring that need — this is a privacy/permission gap the user should understand before installing.
The skill's stated purpose (daily X.com topic summaries) matches the instructions (open X, run topical searches, extract top posts). However the runtime explicitly asks to use 'browser profile=chrome', which implies access to a local Chrome profile or browser automation credentials; that access is not declared in the skill metadata (no required config paths or env vars). This is incongruent with the declared zero-credential footprint.
SKILL.md stays focused: open X, fetch top posts per topic, filter/ dedupe, and summarize. It does not instruct sending data to external endpoints beyond producing the summary. The main scope concern is the use of a browser snapshot (refs=aria) which can capture personalized content tied to a logged-in session if the Chrome profile is used.
Instruction-only skill with no install spec and no code files — lowest install risk. There is nothing being downloaded or written by the skill itself.
The skill requests no environment variables or config paths, yet the instructions demand 'profile=chrome' browser access. That implicitly requires access to the user's browser environment or automation endpoint (cookies, session tokens, stored credentials). The lack of declared required config/permission is disproportionate and a privacy risk.
always:false and no persistent install behavior. The skill does not request system-wide configuration changes or permanent presence. Autonomous invocation is allowed (platform default) but not combined with other high privileges.
Guidance
This skill appears to do what it says (scrape X and summarize), but it asks the agent to use a Chrome profile for browser automation without declaring that it will access browser data. That can expose your logged-in X account, cookies, and personalized feed. Before installing: 1) Confirm how your agent's 'browser' tool handles 'profile=chrome' — does it use your real profile or an isolated ephemeral profile? 2) If you don't want account-linked personalization or cookie exposure, require the skill to run with an unauthenticated/ephemeral profile or headless scraping. 3) Verify where snapshots and extracted data are stored or transmitted and the retention policy. 4) If you accept the privacy tradeoff, limit the agent's browser permissions or create a dedicated Chrome profile for this skill. If the publisher can provide explicit wording that no personal profiles or credentials are used (or supply a dedicated/profile path), that would reduce the concern.
Latest Release
v1.0.0
初版发布:反FOMO热点速览(2条必知+3条可忽略+10分钟行动)
More by @hmzo
Published by @hmzo on ClawHub
