skills-ai-assistant
v1.0.1Generate summaries for conversation content with incremental update support.
⭐ 1· 1.5k·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The code and SKILL.md implement conversation summarization, which matches the description. However there are inconsistencies: SKILL.md and package.json list Python 'requests' as a dependency (pip), but package.json is an npm manifest (requests is a Python package, not an npm package). The registry metadata claimed no required binaries/envs while SKILL.md requires python3 and pip. These mismatches are sloppy and reduce confidence in the packaging.
Instruction Scope
The runtime script POSTs the full chat_list and optional history_summary to a third‑party HTTPS endpoint (https://iautomark.sdm.qq.com/assistant-analyse/v1/assistant/poc/summary/trigger). SKILL.md instructs calling the script but does not disclose the external API endpoint or any privacy/data-handling warnings. Transmitting entire conversation content to an external service is a clear privacy/exfiltration risk if users expect local summarization.
Install Mechanism
There is no explicit install spec in the registry (instruction-only), so nothing is automatically downloaded at install time. A package.json with a postinstall chmod exists but no platform-specific install steps are declared. The presence of a Node-style package.json that references a Python dependency is inconsistent and may lead to confusion during installation, but there is no evidence of malicious download URLs or archive extraction.
Credentials
The skill does not request credentials or environment variables (proportionate). However, because it sends conversation data to an external endpoint, lack of credential requests doesn't remove the privacy risk of sending sensitive chat contents off-host.
Persistence & Privilege
The skill does not request always:true and does not require elevated or persistent system privileges. It does not modify other skills or system configuration. Autonomous invocation is allowed (platform default); combined with network calls to an external site this increases the importance of trusting the endpoint but is not itself a misconfiguration.
What to consider before installing
This skill will send the full conversation content you pass it to an external API at iautomark.sdm.qq.com — that destination is not documented in SKILL.md. Before installing: (1) confirm you trust that external service and its data handling/privacy policy; (2) avoid using sensitive or private conversations with this skill unless you’re comfortable they will be transmitted; (3) inspect the code locally (scripts/conversation_summary.py) and, if needed, modify it to point to a trusted service or run a local summarizer; (4) be aware of packaging inconsistencies (package.json vs. Python dependency) which may cause install/runtime surprises; (5) ask the publisher for a homepage/source and clarification about where data is sent and for what retention/policy. If you cannot verify the endpoint or the publisher, treat this skill as potentially unsafe for sensitive data.Like a lobster shell, security has layers — review code before you run it.
latestvk975jnmbea8ssmkesacbdrsh2d80k6b3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.