思源笔记增强版
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its SiYuan note-taking purpose, but it ships a debug script with a hardcoded SiYuan API host and token, so it should be reviewed before use.
Before installing, remove the debug script or verify it cannot run, rotate the exposed SiYuan token if it belongs to you, and configure your own SIYUAN_API_TOKEN/SIYUAN_API_URL. Use write and sync features only after confirming the target notebook and avoid syncing sensitive conversations.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If that token is real or reused, it can expose or modify a SiYuan note workspace and bypass the user's intended credential configuration.
The skill declares SIYUAN_API_TOKEN as the primary credential, but this bundled debug script embeds a specific SiYuan API endpoint and token directly in source code.
API_URL = "http://192.168.1.6:6811" TOKEN = "xz1...qcpm"
Remove hardcoded tokens and hosts, read only from SIYUAN_API_TOKEN/SIYUAN_API_URL or a user-owned config file, rotate the exposed token, and exclude debug scripts from the published skill.
Running example or verification scripts may create or clutter notes such as fixed test documents without being part of the user's actual request.
Several included example/test scripts directly create documents in the default SiYuan notebook when executed. This is aligned with the skill's write capability, but it mutates user notes.
doc_id = client.create_document("其他", document_name, content, tags=["测试", "增强版", "666"])Use the core client functions only for explicit user-requested writes, and remove or quarantine demo/test scripts in a production skill package.
Private chats, summaries, or note contents may be stored persistently in SiYuan and could be retrieved into later agent contexts.
The skill is designed to persist OpenClaw conversation content into SiYuan and later search/read note content back into the agent workflow.
对话同步 - 将OpenClaw对话同步到思源笔记
Sync only conversations you intend to keep, avoid storing secrets, confirm the target notebook/document before writing, and review any auto-sync setting before enabling it.
It is harder for a user to verify where the code came from or whether it matches an upstream project.
The package has limited provenance information, although it does not specify a remote installer or automatic dependency execution.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Install only if you trust the publisher, inspect the included source, and prefer packages that link to an auditable repository and release history.