by 安全扫描
OpenClaw
可疑
high confidenceThe skill's code and runtime instructions match its stated purpose (syncing Tencent meetings with Gitea), but the package registry metadata omits required configuration/credentials and the package performs write/delete operations across repositories — this mismatch and the required privileges warrant caution.
评估建议
This skill mostly does what it says — scanning Gitea, comparing with Tencent meetings, and updating repo metadata — but there are important caveats you should consider before installing:
- Metadata mismatch: The skill requires configuration (GITEA_BASE_URL, GITEA_TOKEN_BOT, AIFUSION_META_REPO, ADVISOR_GITEA_USERNAME) but the registry metadata lists no required env vars. Do not assume no secrets are needed; you must supply a Gitea bot token.
- Token scope: The Gitea token must allow reading rep...详细分析 ▾
⚠ 用途与能力
The skill is clearly designed to talk to Gitea (read/write/delete files, create directories, update meta.yaml, append logs) and to be configured via ~/.config/skill-h-meeting-sync/.env (GITEA_BASE_URL, GITEA_TOKEN_BOT, AIFUSION_META_REPO, ADVISOR_GITEA_USERNAME). However the registry metadata claims no required env vars or primary credential. That is an internal inconsistency: a functioning installation legitimately requires at least a Gitea base URL and a bot token (with repository read/write privileges) and a meta-repo name. The env-example even contains a hard-coded IP for GITEA_BASE_URL which may be surprising and should be reviewed.
⚠ 指令范围
SKILL.md and the code specify exact commands and file paths (~/ .config/skill-h-meeting-sync/.env, node main.js <cmd>, bash setup.sh). The runtime steps actively read and modify Gitea repository contents (create/update/delete files), enumerate repositories via the Gitea API, and fetch user emails. These actions are consistent with the stated purpose but are destructive (deleting original files during archive) and require clear constraints. Also the skill expects OpenClaw to call external skills (tencent-meeting-skill, imap-smtp-email); it will not send email itself, but it returns email payloads to another component. The code does not read unrelated local files beyond its config, which is good, but the documented safety checks (e.g., skipping cancel if scheduled_time <= now) are important and present.
⚠ 安装机制
There is no formal install spec in registry metadata (instruction-only), but the bundle includes a setup.sh that runs pip install -r requirements.txt (with --break-system-packages). This will install Python packages system-wide by default unless run inside a virtualenv. Including a setup script that performs global pip installs is a non-trivial installation step and should be run intentionally in a controlled environment. No remote arbitrary downloads are used; dependencies come from PyPI (requirements.txt).
⚠ 凭证需求
The code requires sensitive environment configuration (GITEA_BASE_URL and GITEA_TOKEN_BOT at minimum, plus AIFUSION_META_REPO and an advisor username). These are not declared in the registry metadata, creating a mismatch. The GITEA token must have write/delete privileges for potentially many repositories (get_managed_repos enumerates repos and archive/reschedule/cancel operations modify repo contents), so the privilege requested is substantial and should be scoped carefully. The skill also fetches user emails from Gitea, which is expected for notifications but is access to user data.
✓ 持久化与权限
The skill is not marked always:true and does not modify other skills' configurations. It runs on-demand/cron and executes contained scripts. It does perform persistent changes within Gitea repositories (writes, creates, deletes) but only within the intended purpose and using the Gitea bot token; there is no evidence it attempts to persist itself into agent configuration or escalate platform privileges.
⚠ main.js:26
Shell command execution detected (child_process).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install skill-h-meeting-sync
镜像加速npx clawhub@latest install skill-h-meeting-sync --registry https://cn.longxiaskill.com 镜像可用