Is keepwonder/zhihu safe?
https://github.com/openclaw/skills/tree/main/skills/keepwonder/zhihu
The keepwonder/zhihu skill is a Zhihu social media API integration that was developed for a specific user's personal environment and published without adapting it for general use — every documented command references an absolute path on the developer's machine (/home/jone/clawd/...) that does not exist on any other system, making the skill non-functional as documented. No malicious code, prompt injection, or credential theft was detected: the Python script is clean, the installation was clean, and no canary files were compromised. The primary concerns are quality-related (broken paths, undeclared dependencies, argument documentation mismatches) and capability-related (the skill grants an agent unrestricted social media posting and engagement capabilities under the user's API credentials with no per-action confirmation).
Category Scores
Findings (10)
HIGH All documented commands reference non-existent developer machine path -20 ▶
Every command example in SKILL.md references /home/jone/clawd/skills/zhihu/scripts/zhihu_bot.py — a path on the original developer's local machine. This path does not exist when the skill is installed on any other system. An agent attempting to use the skill will invoke a non-existent script, receive errors, and may attempt to locate the correct binary elsewhere on the filesystem. All six documented commands (ring detail, pin publish, reaction, comment create/delete/list) are affected.
MEDIUM API credentials transmitted in plaintext header to external Chinese API -20 ▶
The Python script reads ZHIHU_APP_KEY from the environment and transmits it verbatim in the X-App-Key HTTP header with every request to openapi.zhihu.com. While HMAC-SHA256 signing uses ZHIHU_APP_SECRET to prove request integrity, the app_key credential itself flows to a third-party server on each invocation. Users who install this skill should understand their Zhihu API credentials will leave their environment and be visible to Zhihu's infrastructure.
MEDIUM Skill enables unrestricted social media posting and engagement without per-action confirmation -25 ▶
The skill gives any agent that loads it the ability to publish posts, create and delete comments, and apply likes/unlikes on Zhihu under the user's API credentials. No confirmation mechanism is built into the skill. If the agent is manipulated by adversarial content retrieved from the ring it queries (a prompt injection vector via ring content), it could be directed to post spam, disinformation, or other malicious content on the user's behalf without any safeguard.
MEDIUM Python executable with undeclared network-capable external dependency -15 ▶
zhihu_bot.py imports the requests library which must be installed separately via pip. The skill provides no requirements.txt, setup.py, or automated installation for this dependency. The README.md mentions pip install requests in a single line without marking it as a prerequisite that must be satisfied before the skill can function. On systems where requests is absent, all skill commands will fail at import time.
MEDIUM Skill was authored for a specific private user context and published without generalization -20 ▶
Multiple indicators confirm this skill was designed for a single user's personal environment and was not adapted for general distribution: (1) all paths reference /home/jone/clawd/; (2) the 'Supported Ring' section hardcodes one specific ring ID; (3) version 1.0.0 and 1.0.1 were published only 8 minutes apart, suggesting rapid iteration during initial setup rather than a polished release. The skill will not function correctly for any other user without modifying hardcoded paths throughout the documentation.
LOW Documentation/code mismatch causes agent to generate invalid commands -5 ▶
SKILL.md documents ring detail, comment list pagination as positional arguments (e.g., ring detail
LOW User-generated content transmitted to Chinese social media platform -10 ▶
Content published or commented through this skill is transmitted to Zhihu's openapi.zhihu.com servers. Zhihu is a Chinese platform subject to Chinese data regulations. This is the declared and expected behavior for this skill type, but users should understand that posts, comments, and interaction data generated by the agent are subject to Zhihu's data handling policies and any applicable regulatory access requirements.
LOW Script path mismatch between installation and documentation makes skill non-functional -5 ▶
The skill installs the Python script to the skill directory, but all documentation references an absolute path on the developer's machine. There is no installation step that creates the expected path, no symlink, and no path resolution logic. An agent using this skill must independently determine the correct path to the installed script, which is not documented anywhere in the skill files.
INFO Clean installation with expected network activity only -5 ▶
The installation process performed a git sparse-checkout from the legitimate openclaw/skills repository. Network connections during installation were limited to GitHub (140.82.121.3:443) and standard Ubuntu package infrastructure. No unexpected processes were spawned, no files were written outside the skill directory, and no suspicious outbound connections were observed.
INFO Canary file accesses attributed to audit infrastructure, not skill -10 ▶
Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP credentials) were accessed at 10:25:29 (audit initialization) and 10:25:52 (audit teardown). These timestamps correlate with the audit framework's own canary setup and verification phases, not with any skill code execution. The Python script (zhihu_bot.py) contains no filesystem paths that would read credential files — it only reads ZHIHU_APP_KEY and ZHIHU_APP_SECRET from os.environ. All canary files remain unmodified.