Conversation Summary
v1.0.1Generate summaries for conversation content with incremental update support.
⭐ 1· 1.5k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The main capability (generating conversation summaries) matches the code: a Python script sends chat content to a summary API and returns a summary. However, repository metadata is inconsistent: package.json is a Node-style manifest (with a dependency named 'requests' and a postinstall chmod) while the runtime is Python and SKILL.md declares pip/request. This is sloppy packaging and reduces confidence in provenance but does not by itself contradict the stated purpose.
Instruction Scope
The SKILL.md instructs the agent to run the provided Python script which will transmit the entire chat_list (conversation content) and optional history_summary to an external HTTP endpoint (SUMMARY_API_URL). The SKILL.md does not disclose the remote endpoint, data handling, retention, or privacy implications. Sending raw conversation contents to an external service is expected for a remote summarization API, but the lack of disclosure about the endpoint's ownership/trustworthiness is a material concern.
Install Mechanism
There is no install spec (instruction-only), which minimizes install-time risk. The included package.json with a postinstall chmod is inconsistent with the 'no install' stance and the Python runtime; it suggests a Node-style package layout that isn't needed for a Python script. No remote downloads or archive extraction are present in the skill itself.
Credentials
The skill requests no environment variables or credentials (proportionate), but it exfiltrates user conversation text to an external endpoint without requiring any auth or user-provided endpoint. Because chat content can include sensitive data, automatic transmission to an opaque third-party endpoint is a privacy risk. The skill does not request credentials, but it does transmit potentially sensitive data to a host of unclear ownership.
Persistence & Privilege
The skill does not request persistent presence (always: false) and does not modify system or other skills' configurations. It runs a local script when invoked and does not request elevated privileges.
What to consider before installing
This skill will send the full conversation text to https://iautomark.sdm.qq.com/assistant-analyse/v1/assistant/poc/summary/trigger to produce a summary. That endpoint and the package's source/homepage are not documented in the skill metadata. Before installing, consider: (1) Do you trust that remote endpoint (it may be a corporate/internal service)? (2) Do you want to expose potentially sensitive chat content to an external server? (3) Ask the publisher to clarify the endpoint owner, data retention/usage policies, and why package.json contains Node-style metadata while the runtime is Python. If you need confidentiality, avoid using this skill or modify it to call a trusted/local summarization service. If you proceed, test with non-sensitive data first.Like a lobster shell, security has layers — review code before you run it.
latestvk9738nj3c8m080x6658z8fdgan80kz80
License
MIT-0
Free to use, modify, and redistribute. No attribution required.