ClawHub

Little Steve Content Inbox

v0.1.5

Archive, browse, and manage chat content including links, notes, and images with read/star status and pagination in an IM-native inbox.

0· 274·1 current·1 all-time
by@echoofzion
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name/description align with the included scripts and data files: it stores, lists, views, updates status, and deletes items. Minor inconsistency: SKILL.md declares a required binary (jq) but the registry metadata lists no required binaries; jq is actually required at runtime (scripts call jq).
Instruction Scope
SKILL.md instructs the agent to run local scripts (inbox.sh, content-im.sh) and explicitly forbids auto-archiving except on explicit keywords. The runtime instructions match what the scripts implement; they only read/write local JSON data and do not instruct reading unrelated system files or contacting external endpoints.
Install Mechanism
No install spec (instruction-only) and included scripts are executed locally. There are no downloads or external installers. This is low-risk from an install mechanism perspective.
Credentials
The skill requests no environment variables or credentials. It only requires the `jq` binary (declared in SKILL.md and enforced in scripts). No other secrets or unrelated system config are requested.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide configs. It stores its data under its own data/ directory and sets file permissions (600) for created files.
Assessment
This skill is a local, script-based inbox that stores items in skills/little-steve-content-inbox/data/*. It does not request credentials or make network calls. Before installing: 1) Ensure jq is available (brew install jq or your package manager) because the scripts require it but registry metadata omitted it. 2) Be aware that when you add an image you provide a media-path; the script records that file path but does not copy or upload it — so it can expose local path strings in the stored JSON and when viewed. 3) Review the included scripts if you have privacy concerns (they read/write the JSON files and create a media dir, but do not exfiltrate data). 4) The skill correctly implements an explicit keyword-only rule for adding items (it will not auto-archive), which you should keep in mind when using it in chat. If you want tighter guarantees, run the scripts in a sandboxed environment or inspect/modify them to suit your security posture.

Like a lobster shell, security has layers — review code before you run it.

latestvk9787yn75p1z7eba1n7bx1hnj582bb5m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments