📦 Summarize File — 文件速览
v1.0.0读取工作区或指定路径下的文本文件,自动生成简洁摘要,支持日志、报告、CSV 及多行内容,快速提炼关键信息。
0· 1.7k·18 当前·21 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
high confidenceThe skill's description says it will use a workspace API and produce concise LLM summaries, but the shipped code reads a hard-coded Windows path directly, performs no sanitization, and merely returns the first 500 characters — these mismatches are significant and unexplained.
评估建议
Do not install or enable this skill without changes. The code does not match the skill description: it reads a hard-coded Windows path using fs rather than the platform workspace.read API, performs no path validation (risk of reading files outside the workspace), and does not implement any LLM summarization — it just returns the first 500 characters. If you want to proceed, ask the author to (1) remove hard-coded absolute paths and use the declared workspace.read API, (2) add robust path normali...详细分析 ▾
⚠ 用途与能力
SKILL.md and skill.json state the skill reads files via the workspace.read tool and returns LLM-generated summaries. The actual code (index.js) bypasses workspace.read and uses fs to directly open a hard-coded Windows path (C:\Users\user\.openclaw\workspace\${filename}). The code does not perform summarization, only slices the first 500 characters. This is not proportionate or coherent with the stated purpose.
⚠ 指令范围
The runtime instructions promise path validation, cross-platform behavior, and local-only workspace API access. The implementation lacks any path normalization/validation and concatenates user-supplied filenames into an absolute path, which likely permits path traversal (e.g., '..\') to access files outside the intended workspace. The code is also Windows-specific and contradicts the SKILL.md claims about using workspace.read and returning 2–3 sentence summaries.
✓ 安装机制
There is no install script or remote download — the skill is instruction-only plus a small code file. That lowers installer risk (nothing is fetched from the network).
⚠ 凭证需求
The skill declares no environment or credentials (which is appropriate), but its implementation accesses an absolute user home path directly instead of using the declared workspace.read permission/API. That bypass can defeat sandboxing expectations: although no secrets are requested, direct fs access to C:\Users\user\... is broader than the declared surface and may expose unrelated local files.
✓ 持久化与权限
The skill does not request always:true, does not modify other skills, and has no install-time persistence. It appears not to escalate privileges or autonomously persist configuration.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/22
- Initial release of Summarize File skill. - Reads text files and generates concise 2–3 sentence summaries, highlighting key insights and ignoring boilerplate or empty lines. - Handles various formats including logs, reports, CSVs, and multi-line content. - Operates securely with read-only, local file access; no data leaves your machine. - Supports file path validation to prevent directory escapes.
● 可疑
安装命令
点击复制官方npx clawhub@latest install summarize-file
镜像加速npx clawhub@latest install summarize-file --registry https://cn.longxiaskill.com