by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
What to check before installing/using this skill:
- Expectation mismatch: The registry/metadata declare no env vars but the scripts read TAVILY_API_KEY, OBSIDIAN_VAULT, and RECIPIENT. Confirm whether you should provide any API keys and where those keys will be used.
- Vault path & recipient: The Python and shell scripts default to a specific user's vault path (/Users/george/... or ~/Documents/Georges/Knowledge). Edit VAULT_PATH/VAULT/OBSIDIAN_VAULT to point to your own vault before running, and...详细分析 ▾
ℹ 用途与能力
Name/description align with the included scripts: downloading YouTube audio, transcribing, fetching pages, saving to an Obsidian vault, and generating digests/nightly research. Some minor mismatches: SKILL.md claims it 'searches multiple sources (Hacker News, Reddit, Twitter)', but nightly-research.sh performs searches via the Tavily API only (it does not independently query those sites). Overall capabilities match the stated purpose.
⚠ 指令范围
SKILL.md and scripts instruct the agent to fetch remote web pages and call external services (Tavily API via curl, and send email via the 'gog gmail send' tool). The scripts also write files into an Obsidian vault path and remove temporary audio files. The SKILL metadata declared no required env vars, but the scripts read/expect environment variables (TAVILY_API_KEY, OBSIDIAN_VAULT, RECIPIENT) and use a hard-coded email recipient and hard-coded vault paths (/Users/george/... and ~/Documents/Georges/Knowledge). These runtime actions (external API calls and email sending) are outside the declared requirements and should be explicitly disclosed.
ℹ 安装机制
There is no formal install spec in the registry (instruction-only), which is lower risk from an automatic installer perspective. The SKILL.md tells the user to pip install packages (yt-dlp, faster-whisper, requests, beautifulsoup4, optional openai/anthropic). That is consistent with the code. No downloads from arbitrary URLs or archive extraction are present. Because the code relies on external binaries (yt-dlp, whisper) and a third-party CLI tool 'gog', the user must install those manually — the absence of an install spec means the skill won't auto-install them but the runtime will fail or behave unexpectedly if they are missing.
⚠ 凭证需求
Registry lists no required environment variables or credentials, yet scripts make use of environment vars: TAVILY_API_KEY (sent to api.tavily.com), OBSIDIAN_VAULT (overrides VAULT), and RECIPIENT. digest.sh and nightly-research.sh also use or assume the presence of an email-sending tool ('gog') which uses credentials not declared here. The scripts also include hard-coded local paths and a hard-coded recipient email (george@precaster.com.tw). Asking for or using API keys and email-sending capabilities is proportionate to the feature set — but they should be declared, and the hard-coded recipient is suspicious/unexpected behavior that could lead to unintended data exfiltration.
✓ 持久化与权限
The skill does not request permanent platform-level privileges (always: false) and does not modify other skills' configuration. It writes notes to a user-visible Obsidian vault and temporary files in /tmp, which is expected given its purpose. Autonomous invocation is allowed (default) — combined with the environment/credential concerns above this increases potential impact, but the skill alone does not request 'always' or system-wide config changes.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.2.12026/3/3
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install kb-collector
镜像加速npx clawhub@latest install kb-collector --registry https://cn.longxiaskill.com