Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Meeting Notes Generator
v0.1.0智能会议纪要整理专家,保证信息100%不遗漏且字数至少2000字。当用户要求整理会议记录、生成会议纪要、提取会议要点、总结会议内容、将录音转文字文档转换为结构化纪要时使用此技能。特别适用于需要保证信息完整性和详细程度的场景。触发短语包括但不限于:帮我整理会议记录、会议纪要怎么写、生成会议纪要、整理会议要点、会议总...
⭐ 0· 42·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims PDF/Word parsing and a four-round validation flow (appropriate for meeting-note generation) but also explicitly instructs use of a 'DeepSeek API' and an 'extract_pdfs_full_content' tool while declaring no required environment variables, binaries, or install steps. Referencing an external API/tool without declaring credentials or how it's available to the agent is an incoherence.
Instruction Scope
SKILL.md contains detailed runtime instructions that are mostly within the stated purpose (parse, extract, validate), but there are contradictory and impractical constraints: (1) it forbids adding extra information yet demands supplementing missing content to reach ≥2000 words; (2) it says 'don't generate meeting background (e.g., meeting time...)' while the output spec includes a '会议基本信息' section (meeting time/place/host); (3) it requires 100% information coverage and zero omissions — an unrealistic, absolute guarantee especially when also forbidding adding information. These contradictions impact how an agent should act and may force unjustified hallucination/over-generation.
Install Mechanism
Instruction-only skill with no install steps or code files; this minimizes supply-chain risk. No downloads, no binaries are specified.
Credentials
The instructions call out using an external 'DeepSeek API' and a PDF extraction helper but the skill declares no required environment variables or primary credential. If DeepSeek (or any external service) is required, an API key or endpoint should be declared. The absence of credential declarations is disproportionate and ambiguous. Also the SKILL.md references local 'references/' files that are not present in the package.
Persistence & Privilege
always:false and no persistence or system config changes are requested. The skill does not request system-wide privileges or to modify other skills; autonomy is allowed by default but not combined with extra privileges here.
What to consider before installing
This skill appears to be a meeting-notes tool but has several red flags you should resolve before installing: 1) Clarify external service use — the SKILL.md names 'DeepSeek API' and a PDF extractor but the skill does not declare any API keys, endpoints, or binaries. Ask the author to explicitly list required env vars (e.g., DEEPSEEK_API_KEY) and explain where the extractor comes from. 2) Resolve contradictory rules — does the output require meeting basic info or explicitly forbid 'meeting background'? Must the agent be allowed to expand/interpret content to reach 2000 words, or only to rephrase existing content? 3) The requirement of "100% information coverage" plus "do not add information" is logically inconsistent; request a precise policy: allowed paraphrase, allowed expansion of wording vs adding new facts. 4) Privacy: because users upload possibly sensitive meeting transcripts, confirm whether any external APIs (DeepSeek) will receive full document contents; if so, require documentation of vendor privacy/security and recommend least-privilege API keys and explicit user consent before sending data. 5) Testing: ask for a minimal reproducible example and a clear list of external dependencies (or confirm fully self-contained operation). Until these are clarified, treat the skill with caution — it’s not obviously malicious, but its missing declarations and internal contradictions make it risky to run on sensitive material.Like a lobster shell, security has layers — review code before you run it.
latestvk970vwcke0ay7wbmhvzn0y138584f5nx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.