Getnote 1.5.7
v1.0.0Get笔记 - 保存、搜索、管理个人笔记和知识库。 **当以下情况时使用此 Skill**: (1) 用户要保存内容到笔记:发链接、发图片、说「记一下」「存到笔记」「保存」「收藏」 (2) 用户要搜索或查看笔记:「搜一下」「找找笔记」「最近存了什么」「看看原文」 (3) 用户要管理知识库或标签:「加到知识库」「建...
⭐ 0· 46·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (save/search/manage notes) align with required files and instructions: API calls target openapi.biji.com, scripts implement OAuth device polling and image upload, and optional environment variables are exactly the service credentials one would expect.
Instruction Scope
SKILL.md instructs automatic OAuth device flow if GETNOTE_API_KEY is missing and to write credentials into ~/.openclaw/openclaw.json; this is within the expected scope for a service that needs user credentials, but it grants the skill the ability to initiate background polling for up to 10 minutes and to persist keys in the local skill config—users should be aware and consent to that behavior.
Install Mechanism
No install spec; skill is instruction-first and ships two small helper scripts. No network downloads or archive extraction at install time. Risk from install mechanism is low.
Credentials
Declared optional environment variables (GETNOTE_API_KEY, GETNOTE_CLIENT_ID, GETNOTE_OWNER_ID) map directly to the API and owner-check logic described. The skill does not request unrelated credentials or system secrets.
Persistence & Privilege
Skill is not 'always: true'. It does instruct writing API credentials to ~/.openclaw/openclaw.json (its own agent config) and runs background polling during OAuth; these are expected for automatic setup but are persistent actions the user should understand before enabling the skill.
Assessment
This skill appears to do what it claims: it will contact https://openapi.biji.com, can start an OAuth Device Flow and poll for up to 10 minutes in the background, and will write the obtained API key/client id into your ~/.openclaw/openclaw.json so future calls are authorized. The provided upload script will upload images to an OSS host returned by the API (expected behavior for image upload). Before installing: (1) confirm you trust the Get笔记 service and its domain (openapi.biji.com); (2) do not paste API keys into chat—use the OAuth flow or set GETNOTE_API_KEY/GETNOTE_CLIENT_ID in your OpenClaw config manually if you prefer; (3) be aware the agent will persist credentials to your OpenClaw config and may poll the token endpoint in the background during authorization; (4) avoid uploading sensitive images unless you accept those files being sent to the service/OSS host. If you want stricter control, manually obtain an API key on the provider site and add it to ~/.openclaw/openclaw.json rather than using the automatic flow.Like a lobster shell, security has layers — review code before you run it.
latestvk97dr8w2795zhyv42wztka7a6x84vaj4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.