Plume NoteCard
v1.0.2Plume AI Notecard Generation Service. Triggered when users want to convert topics, long-form text, or reference images into notecards. Supports: topic noteca...
⭐ 0· 33·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the code and instructions: scripts implement upload, create-task, poll/history, and image description against a Plume API base. Required credential (PLUME_API_KEY) and the command-line workflow (transfer/create/history) are proportional to the stated purpose; there are no unrelated third-party credentials or unusual binaries requested.
Instruction Scope
SKILL.md instructs the agent to run local Python scripts (check_config.py and create_notecard.py) and to send a pre-call waiting message; scripts access local image files, write media results, and read/write an action log for retries. The instructions avoid remote shell installs or arbitrary code execution and explicitly prohibit asking for keys in chat or fabricating task IDs.
Install Mechanism
No install spec is present (instruction-only install), so nothing is downloaded or extracted. The skill includes local Python scripts that will be executed by the agent via Bash(python3 ...); this is expected and lower-risk than downloading remote archives.
Credentials
The only declared required credential is PLUME_API_KEY, which matches the API client usage. The code also checks for the key in EXTEND.md and optionally in ~/.openclaw/openclaw.json; reading that OpenClaw config is reasonable to find the key but does entail reading a user config file that may contain other environment entries (the script only attempts to extract PLUME_API_KEY). The config module includes credential-stripping patterns for common token formats (expected for log sanitization).
Persistence & Privilege
The skill does not request 'always' privilege and does not modify other skills or system-wide settings. It writes media files and per-channel action_log_{channel}.json to a media directory under the user's home (or configured EXTEND.md location) and reads EXTEND.md and optionally ~/.openclaw/openclaw.json. This local persistence is reasonable for history/retry but users should be aware of where output/logs are stored.
Assessment
This skill appears coherent for generating notecards, but consider these points before installing:
- You must supply PLUME_API_KEY: only provide an API key you trust for this service, and avoid using a broadly-scoped secret (use a key limited to the Plume notecard API if possible).
- The scripts will read EXTEND.md and may read ~/.openclaw/openclaw.json to find PLUME_API_KEY. If your OpenClaw config contains other secrets, the script reads that file but only attempts to extract PLUME_API_KEY; still, review that file if you are concerned.
- The skill writes generated images and action logs into a media directory under your home (or a path set in EXTEND.md). Make sure you’re comfortable with where outputs and logs are stored and their retention.
- No remote downloads or 'curl | bash' behavior are present, and the HTTP calls target design.useplume.app by default; if you need to change the API base, review EXTEND.md or set api_base_url explicitly.
- If you want extra assurance, inspect the included scripts (already present) or run them in an isolated environment (container or dedicated account) before granting access to sensitive keys.
Overall this package is internally consistent with its stated purpose; treat the PLUME_API_KEY with usual caution and confirm the storage locations meet your privacy requirements.Like a lobster shell, security has layers — review code before you run it.
latestvk97ejez7m22m08mmf99fv0kd518490q3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
EnvPLUME_API_KEY
Primary envPLUME_API_KEY