mycroft
v1.0.2EPUB and ebook ingestion, local vector index, and Q&A CLI for books.
⭐ 2· 587·0 current·0 all-time
byFabian Schultz@fabe
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (EPUB ingestion, local vector index, Q&A) match the declared requirements: it needs the mycroft CLI binary and an OPENAI_API_KEY for embeddings/summaries. There are no unrelated credentials or binaries requested.
Instruction Scope
SKILL.md instructs the agent/user to run mycroft commands that ingest local EPUB files and call the OpenAI API for embeddings/summaries. That behavior is consistent with the stated purpose, but it inherently transmits book contents to OpenAI — a privacy/cost consideration users should be aware of before ingesting sensitive material or large corpora.
Install Mechanism
The registry metadata shows no formal install spec, but SKILL.md contains metadata suggesting installation via npm (@fs/mycroft). Installing an npm package is a normal way to obtain the CLI, but npm installs run arbitrary code and should be verified (check package provenance, repository, and release). This is a moderate risk but proportionate to the skill's functionality.
Credentials
Only OPENAI_API_KEY is required, which is appropriate for embeddings/summaries. No additional unrelated secrets or config paths are requested.
Persistence & Privilege
Skill is instruction-only, does not request always:true, and does not modify other skills or system-wide settings. It only requires the CLI to be present and is user-invocable.
Assessment
This skill appears to do what it says: a CLI that ingests ebooks and uses your OpenAI key to create embeddings and summaries. Before installing/using it: (1) Do not ingest books or documents you consider confidential—ingestion sends content to OpenAI for embeddings/summaries. (2) Verify the npm package @fs/mycroft and the GitHub repo (publisher, recent commits, issues) before installing; consider inspecting package contents or installing in an isolated environment. (3) Use a restricted or monitored OpenAI key (budget limits, org controls) if possible to limit accidental cost/exposure. (4) When scripting, avoid --force or interactive flags unless you understand the implications. If you want more assurance, ask for the package's repository commit hash or a reproducible build before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97fxy42xkws508v9xjbh63cjd81dprc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📚 Clawdis
Binsmycroft
EnvOPENAI_API_KEY