Chat Search
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill’s chat-search purpose is coherent, but it appears to handle private Feishu/Telegram chat history through an under-specified vector database setup without clear data scope, permission model, or cleanup guidance.
Only install this if you are comfortable setting up a local vector database for chat search and can verify exactly which Feishu/Telegram messages will be indexed. Before use, ask the maintainer to document the data source, authentication method, storage location, retention policy, cleanup steps, and dependency versions.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private Feishu or Telegram conversations could be stored and reused in a local search index beyond what the user expected.
The skill is designed to semantically search chat records using embeddings and a vector database, which can retain sensitive message content or derived embeddings. The artifact does not define indexing scope, retention, deletion, access controls, or reuse boundaries.
- 语义搜索聊天记录 - 使用 Qdrant 向量数据库 - 使用 FastEmbed 生成中文向量
Document exactly what chat data is ingested, where it is stored, how long it is retained, how users can delete it, and require explicit user confirmation before indexing broad chat history.
Users cannot tell whether the skill relies on exported chats, local sessions, tokens, or an existing database, making the permission boundary unclear.
Searching Feishu or Telegram chat history normally requires access to account or exported chat data, but the artifact set declares no credential, configuration path, or permission model explaining how that access is obtained or limited.
Description: Search and find relevant chat messages from Feishu or Telegram... Required env vars: none... Primary credential: none
Declare the expected data source and authentication method, state the minimum required permissions, and avoid using broad account/session access unless it is clearly documented and user-approved.
A later dependency version could behave differently from the version the skill author expected.
The setup instructions pull external Docker and PyPI dependencies without pinning versions. This is user-directed and purpose-aligned, but it leaves dependency provenance and reproducibility less clear.
docker run -d --name qdrant -p 6333:6333 qdrant/qdrant # Python FastEmbed pip install fastembed
Pin dependency versions or digests, link to official installation instructions, and document how to verify the installed components.