Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Hi Lite
v1.0.0Search, browse, and rediscover your Kindle highlights
⭐ 0· 448·0 current·0 all-time
byDylan@gofordylan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared purpose (import/search Kindle highlights locally) matches the instructions to read/write files under ~/.openclaw/workspace/hi-lite/. However the README documents an 'Auto-Fetch from Amazon' feature and gives GitHub clone/install options that imply external code (Python + Playwright) which are not included in this registry package. That is an inconsistency: the skill advertises functionality that requires additional tooling or external repo code not bundled here.
Instruction Scope
Runtime instructions are scoped to the user's workspace directory and parsing of user-provided highlight files — appropriate for the stated purpose. The instructions also recommend adding the highlights directory to the agent's memorySearch.extraPaths (optional) and describe an auto-fetch workflow that will require a real browser login/session; the skill does not clearly state where session cookies or fetched data are stored or how they are protected. The fetch/login guidance raises a privacy surface (saving an authenticated session) that is not fully explained.
Install Mechanism
This is instruction-only (no install spec) which is low-risk. The README nonetheless suggests pip installing Playwright and cloning a GitHub repo; because no install spec or code files are bundled, the README's install/fetch steps are external actions the user must perform themselves. That mismatch is a clarity/usability issue and a potential risk if users blindly follow commands to fetch/run third-party code without inspecting it.
Credentials
The skill does not request environment variables, credentials, or config paths in the registry metadata. Its declared local filesystem access (creating and reading files under ~/.openclaw/workspace/hi-lite/) is proportionate to its purpose. Note: the described Amazon auto-fetch requires a logged-in browser session (credentials entered by the user) and saving that session; although not requested via env vars, that behavior can expose account session cookies if an external script is used — the package does not explain where/how sessions are stored.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. It does suggest (optionally) adding the highlights directory to memorySearch.extraPaths to enable semantic search, which requires modifying the user's OpenClaw config if they opt in. That is a user-controlled change and not an elevated privilege by itself.
What to consider before installing
This skill appears to do what it says for local importing and searching of Kindle highlights, but there are important caveats: (1) The package is instruction-only and contains no import/fetch scripts — the README's "Auto-Fetch from Amazon" flow and GitHub install instructions refer to external code you would need to download and run yourself. Don't run pip install or clone/run code from the internet unless you inspect the repository first. (2) Auto-fetching requires logging into Amazon in a browser; that will create and (per the README) save a session — understand where session data will be stored and who/what can read it. (3) If you enable the memorySearch.extraPaths suggestion, you give the agent access to index those files for semantic search; only add paths you trust. Recommended next steps before installing: verify the upstream GitHub repository and review its code (especially any fetch scripts), prefer manual exports (place your My Clippings.txt in the raw/ folder) if you want to avoid running third-party scripts, and back up your highlights directory if you'd like to inspect generated markdown files. If you want me to, I can (a) check the referred GitHub repo for the fetch script (if you provide the URL), or (b) walk you through a safe manual import workflow using only local files.Like a lobster shell, security has layers — review code before you run it.
latestvk977vn3s9q2wkah4xgc1f7j7yd81qef4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📚 Clawdis