ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Personal Wiki

v1.0.0

个人知识库(LLM Wiki)操作 skill。 当用户提到以下意图时触发: - Ingest:处理新内容、更新知识库、"处理IMA新内容"、"处理印象笔记"、"处理raw里的文件"、"帮我ingest" - Query:查 wiki、"wiki里有没有关于XX"、"从知识库里找XX" - Lint:整理wiki...

0· 19·0 current·0 all-time
by@heavenchenggong
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description say the skill ingests from IMA (Tencent), Evernote, and local files into a local ~/wiki; the SKILL.md only requests EVERNOTE_TOKEN (and documents reading IMA creds from ~/.config/ima) and reads/writes the local wiki directory — these permissions are proportional and expected for the stated functionality.
Instruction Scope
Runtime instructions explicitly instruct reading: WIKI_DIR (default ~/wiki), ~/.config/ima/client_id and api_key, and environment variable EVERNOTE_TOKEN; they call remote APIs for IMA and Evernote and perform local file parsing and writes to ~/wiki/pages, index.md, log.md. There are no instructions to read unrelated system files or to transmit data to unknown endpoints.
Install Mechanism
This is an instruction-only skill with no install spec. The README suggests the user install Python packages (evernote2, python-pptx, python-docx) and system utility pdftotext; requiring user-installed dependencies is reasonable for local file processing and is low-risk compared with arbitrary downloads/run-at-install.
Credentials
Only EVERNOTE_TOKEN is required as an environment variable; IMA credentials are read from standard config files and are declared in metadata. No unrelated secrets or many credentials are requested. The scope of credentials matches the declared integrations.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It does not request system-level modifications or access to other skills' configurations. Writing/reading only occurs in the user wiki directory and declared config paths.
Assessment
This skill appears coherent: it needs your Evernote developer token and your IMA client_id/api_key (stored under ~/.config/ima) so it can fetch notes, and it will read and write files in ~/wiki (pages, index.md, log.md) and process files under ~/wiki/raw/. Before installing: 1) Only grant a developer Evernote token you control and are willing to revoke (token lifespan noted as short — rotate it if needed). 2) Keep IMA credentials in a dedicated config, and consider creating a minimally-privileged access account if possible. 3) Review SKILL.md and README to confirm you are comfortable with the described file writes. 4) Install required Python packages and pdftotext from official sources; run in a controlled environment if you are concerned about parsing unknown files. 5) If you want stronger containment, run the skill in a sandboxed account or VM so its file writes are limited to a directory you control.

Like a lobster shell, security has layers — review code before you run it.

evernotevk97493cx17d26g47hgcfz4h03984a9rqimavk97493cx17d26g47hgcfz4h03984a9rqingestvk97493cx17d26g47hgcfz4h03984a9rqknowledge-basevk97493cx17d26g47hgcfz4h03984a9rqlatestvk97493cx17d26g47hgcfz4h03984a9rqwikivk97493cx17d26g47hgcfz4h03984a9rq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis
EnvEVERNOTE_TOKEN

Comments