ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Channel Activity

v3.0.0

Multi-channel short-term memory for AI assistants

0· 357·0 current·0 all-time
by@eightroad

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for eightroad/channel-activity-yanyue.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Channel Activity" (eightroad/channel-activity-yanyue) from ClawHub.
Skill page: https://clawhub.ai/eightroad/channel-activity-yanyue
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install eightroad/channel-activity-yanyue

ClawHub CLI

Package manager switcher

npx clawhub@latest install channel-activity-yanyue
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (multi-channel short-term memory) aligns with the included code (ChannelActivity, ShortTermMemory, CompleteContext). Features like TTL, summarization, cross-channel query and upgrade-to-long-term are implemented. However the code adds features not declared in metadata (family group sharing / automatic inclusion of other identities' entries) and the session hook files reference absolute developer workspace paths — these extend scope beyond what's documented in requires/config and are unexpected.
!
Instruction Scope
SKILL.md and INTEGRATION.md instruct adding a session hook so the agent can inject temporary-memory summaries before replies. The provided session_hook.py and session_hook_lite.py perform local file reads (memory JSON and MEMORY.md) and call ChannelActivity.get_context_summary. session_hook files hard-code sys.path insertions and in session_hook_lite a default memory_path points to an absolute developer path (/Users/kunpeng.zhu/.openclaw/workspace/MEMORY.md). The instructions do not disclose these file-path accesses or privacy implications (e.g., pulling full MEMORY.md into prompts).
Install Mechanism
There is no external install spec (no downloads), so nothing is pulled from remote URLs. The skill is instruction/code-only and writes/reads local files under 'memory/' by default — expected for a local cache-based memory skill. Risk from install mechanism is low, but the package does include multiple Python modules that will be executed when invoked.
!
Credentials
The registry declares no required env vars or config paths, yet the code reads/writes local files (memory/channel-activity.json, memory/short-term-cache.json) and session_hook_lite defaults to an absolute MEMORY.md path in a developer home. The skill also includes a family-group sharing feature that by default will include other members' recent messages in summaries (ai_decision default True). These behaviors access and expose local persisted data and other users' entries without any declared config or explicit permission mechanism.
!
Persistence & Privilege
The skill is not marked always:true, but integration docs explicitly recommend adding session_hook to the agent's session flow so it runs automatically before replies. Combined with the family-sharing behavior and the code reading MEMORY.md, automatic invocation increases privacy/exfiltration risk because the agent could inject local and long-term memory contents into prompts without explicit per-call filtering. Also the session_hook files' hard-coded paths suggest the code may attempt to access unexpected filesystem locations.
What to consider before installing
Before installing or enabling this skill, review and adjust the code and integration settings: 1) Inspect session_hook.py and session_hook_lite.py and remove or change hard-coded absolute paths (they point to a developer's home). 2) Confirm where memory files will be stored (default 'memory/' vs absolute paths) and ensure they don't contain secrets you don't want injected into prompts. 3) Audit the family-group sharing logic — by default it includes other members' recent messages; enable/require explicit consent if that is sensitive. 4) If you will add the session hook to automatic reply flow, test in a sandbox environment to see exactly what gets injected into prompts (especially MEMORY.md contents). 5) If you want stricter boundaries, modify the code to require explicit config for MEMORY.md path and to opt-in for cross-identity sharing. These changes will reduce privacy risk and make the skill's declared requirements match its behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fa8mdyqrymd3xnxry32f7f182gvmc
357downloads
0stars
7versions
Updated 7h ago
v3.0.0
MIT-0
@eightroad
latest
Download

Channel Activity

Record and query activities from different channels with 30-minute TTL.

Install

npx clawhub@latest install channel-activity

Usage

from channel_activity import ChannelActivity

ca = ChannelActivity()
ca.record("feishu", "Task request")
summary = ca.get_context_summary(channel="qq")

Features

  • Multi-channel support (Feishu, QQ, etc.)
  • 30-minute TTL with auto cleanup
  • Smart summarization (50 chars/message)
  • Cross-channel query

License

MIT

Comments

Loading comments...