by 安全扫描
OpenClaw
可疑
medium confidenceThe skill appears to be what it says (a personal context/knowledge manager) and does not request secrets or network installs, but there are implementation and packaging inconsistencies you should review before installing (claims to fetch from external services while code mostly writes local placeholders, no install spec despite many source files, and it will create/modify files in your home directory).
评估建议
Things to check before installing or running this skill:
- Capability vs implementation: The docs promise fetching from Feishu/WeChat/Xiaohongshu; the code accepts tokens/exports but does not implement network fetching for Feishu (it stores a placeholder/URL). If you expect automatic remote fetching, verify/implement the API client and audit any added network calls.
- Local persistence: The skill will create directories and write JSON files in a default directory (~/kb or ~/context). These fil...详细分析 ▾
ℹ 用途与能力
Overall the code aligns with the stated purpose (collecting user notes, tagging, building thought-trees, maps, local storage). However the SKILL/README repeatedly claim integration with external platforms (Feishu, WeChat, Xiaohongshu) and demonstrate commands that imply online API calls; the provided collector implementation either expects exported text (wechat) or stores a placeholder and a source_url for feishu (no actual HTTP fetch implemented). That mismatch between advertised capability and implemented behavior is a coherence issue (not necessarily malicious) and may mislead users about what the skill will access.
ℹ 指令范围
SKILL.md instructs workflows that collect from multiple sources and shows examples of using doc tokens, but the instructions do not ask the agent to read unrelated system files or to transmit data to external endpoints. The runtime code writes many JSON files to user-controlled base_path (~~/kb or ~/context). The instructions mention API permissions in troubleshooting (e.g., '微信/飞书 API 权限?') which could prompt an agent or user to supply tokens even though the skill declares no required env vars.
✓ 安装机制
No install spec is provided (instruction-only in registry), and there are no downloads or brew/npm installs. The code bundle exists in the repository but nothing in the provided files indicates remote code fetches or extract-from-URL installs. This is low-risk from an installer perspective.
ℹ 凭证需求
The skill declares no required environment variables or credentials. Some modules reference a config key (e.g., AIAnalyzer.api_key / ai_model) and README/examples show passing Feishu doc tokens; those are optional config values rather than required env vars. This is proportionate, but be aware that API keys or tokens would live in config.yaml/base_path if you supply them — the skill does not declare or enforce secure storage.
⚠ 持久化与权限
The code creates and writes many files under a default base_path (config defaults like '~/kb' or '~/context'). It will create directories (inbox, contexts, bridges, maps, logs) and persist user content and metadata locally. While expected for a knowledge manager, this persistent file I/O means the skill will store potentially sensitive personal thoughts/decisions on disk by default; you should verify and, if necessary, change the base_path to a controlled location and review file permissions before use.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.1.02026/4/16
增强 AI 分析、桥接逻辑、认知地图生成
● 无害
安装命令
点击复制官方npx clawhub@latest install context-manager-v1
镜像加速npx clawhub@latest install context-manager-v1 --registry https://cn.longxiaskill.com 镜像可用