ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Kakaotalk

v1.2.8

카카오톡 채널을 AI 에이전트로 만드는 스킬. Vercel Serverless 배포 지원. (옵션: 로컬 컴퓨터와 연결하여 파일/메모리 접근 가능)

0· 827·3 current·3 all-time
byTomas@lifeissea
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (KakaoTalk agent with optional local file/memory access and Vercel deployment) matches the code and scripts: api handlers for Vercel Basic mode, and a Relay mode with a Supabase queue plus a local watcher that reads local memory files. Required binaries (vercel, python3) are reasonable. Minor inconsistency: SKILL.md metadata lists GEMINI_API_KEY and SUPABASE vars as optional, but the code and scripts also reference additional envs (KAKAO_CALLBACK_SECRET, KAKAOTALK_SYSTEM_PROMPT, OLLAMA_HOST/OLLAMA_MODEL, etc.) that are not enumerated in the registry metadata.
!
Instruction Scope
SKILL.md instructs users to deploy to Vercel or run a local watcher. The watcher and install scripts explicitly read ~/.openclaw/.env and ~/.openclaw/workspace/MEMORY.md, install a launchd service, and can start ngrok to expose a local endpoint. Reading a user's local MEMORY.md and .env (which may contain secrets) and exposing a local webhook via ngrok are outside trivial chatbot scope and introduce privacy and exfiltration risk — although they are described as 'optional', the runtime instructions and scripts perform these actions without strong warnings.
Install Mechanism
There is no platform install spec (instruction-only plus bundled scripts). That is lower risk than arbitrary binary downloads. The included install scripts create a launchd plist and recommend ngrok; they do not download code from untrusted URLs. However, the repository details in package.json point to a public GitHub URL but the distribution 'Source' is unknown — consider verifying upstream source.
!
Credentials
Relay mode legitimately needs SUPABASE_URL and a SUPABASE_SERVICE_KEY to write/read the queue, and Basic mode needs a Gemini API key. But the skill asks for a Supabase Service Role key (SUPABASE_SERVICE_KEY) which is a high‑privilege secret (can read/write all rows and bypass Row Level Security). The scripts also load and reuse local .env secrets (GEMINI_API_KEY, KAKAO_CALLBACK_SECRET) and place them into a launchd plist. Several env vars used in the code are not declared in the registry metadata. Storing/using a service role key and reading local .env should only be done if you fully trust the skill and the Supabase project configuration.
Persistence & Privilege
The skill does not set always:true, but provides an install script that registers a persistent launchd service and RunAtLoad true on macOS. That is expected for a relay that should process messages while your machine is on, but installing it gives the skill ongoing local execution and access to the local filesystem and configured env variables. Installing the service is an explicit user action — review the plist and scripts before running.
What to consider before installing
This skill appears to implement a KakaoTalk webhook service with two modes: Basic (Vercel server that calls Gemini) and Relay (Vercel + Supabase queue + a local watcher that runs on your machine and can read files). Things to consider before installing or running it: - Privileged keys: Relay mode asks you to supply SUPABASE_SERVICE_KEY (a Supabase 'service role' key). That key grants broad database access; prefer a scoped key or a dedicated project with only the minimal table and permissions. Do NOT reuse an admin/service key from a production database. - Local secrets & files: The watcher and install script read ~/.openclaw/.env and ~/.openclaw/workspace/MEMORY.md. Those files may contain sensitive secrets or PII. Only run the watcher if you trust the skill and have inspected the code. If you don't want file access, use Basic mode (Vercel) instead. - Persistent service: install-service.sh creates a launchd plist (auto start, logs) and injects env vars into the plist. Inspect the generated plist and the script before running; remove or sanitize any environment values you don't want persisted in system services. - ngrok exposure: scripts offer to start ngrok to expose your local server. Exposing a local endpoint to the public internet can leak data if the endpoint or callback URLs are misconfigured. Ensure ngrok is configured with an auth token and verify the public URL before registering it in Kakao. - Keys on Vercel: If deploying the Basic or Relay server on Vercel, be mindful which keys you set as environment variables for serverless functions (these are accessible to the server code). Avoid putting broad service-role keys into a shared hosting environment unless you understand the implications. - Review & test: Because many sensitive operations are present (DB writes, callback posting, filesystem reads, persistent service), review the included Python scripts (server.py, watcher.py, install scripts) and test in an isolated environment (throwaway Supabase project, sandbox machine) before using on production data. If you are not comfortable with these privileges, use only Basic mode with minimal keys, or decline to install the local relay/watchers.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsvercel, python3
Environment variables
GEMINI_API_KEYoptional[Basic 모드] Gemini API 키
SUPABASE_URLoptional[Relay 모드] Supabase 프로젝트 URL
SUPABASE_SERVICE_KEYoptional[Relay 모드] Supabase Service Role Key
latestvk9731423ks0bxvw01yj9y9azhn821jbc
827downloads
0stars
9versions
Updated 6h ago
v1.2.8
MIT-0
Tomas@lifeissea
latest
Download

🟡 카카오톡 AI 에이전트 (KakaoTalk Agent)

카카오톡 채널을 통해 나만의 AI 비서와 대화하세요.
Vercel을 이용해 서버 걱정 없이 무료로, 영구적으로 운영할 수 있습니다.

두 가지 모드를 지원합니다.

모드난이도특징추천 대상
🅰️ BasicVercel만 있으면 끝. 빠르고 간단함.단순 챗봇, Q&A 봇
🅱️ Relay⭐⭐⭐내 컴퓨터(OpenClaw)와 연결. 기억력(Memory) 있음.개인 비서, 업무 자동화

🚀 공통 준비물

  1. 카카오 비즈니스 계정: business.kakao.com (채널 개설)
  2. 카카오 i 오픈빌더: i.kakao.com (봇 생성)
  3. Vercel 계정: vercel.com (배포용)

🅰️ Option A: Basic 모드 (5분 컷)

AI가 단순한 대답만 하면 된다면 이 방법을 쓰세요.

1. 배포하기

터미널에서 아래 명령어를 실행하세요. (Gemini API 키 필요)

# 1. 스킬 폴더로 이동
cd skills/kakaotalk

# 2. Vercel 배포 (환경변수 설정)
# GEMINI_API_KEY는 본인 키로 변경하세요.
vercel deploy --prod --env GEMINI_API_KEY=AIzaSy...

배포가 끝나면 https://...vercel.app 주소가 나옵니다.
스킬 URL: https://[당신의주소].vercel.app/kakao

2. 오픈빌더 연결

  1. 스킬 등록: 오픈빌더 > 스킬 > 추가 > URL 입력
  2. 폴백 블록: 시나리오 > 폴백 블록 > 봇 응답 > 스킬데이터 사용 선택
  3. 배포: 우측 상단 [배포] 버튼 클릭

끝! 이제 카톡 채널에서 대화해보세요.

🅱️ Option B: Relay 모드 (진짜 비서)

카카오톡으로 "내 컴퓨터에 있는 파일 읽어줘" 하거나 "아까 그 얘기 계속해" 라고 하려면 이 방법을 쓰세요.
Vercel이 우체통 역할을 하고, 당신의 컴퓨터가 직접 대답합니다.

1. Supabase 준비 (우체통)

  1. Supabase 프로젝트 생성.
  2. SQL Editor에서 아래 쿼리 실행: 
    create table kakaotalk_queue (
  id bigint generated by default as identity primary key,
  user_id text not null, utterance text not null, callback_url text,
  status text default 'pending', response text, created_at timestamptz default now()
);

2. Vercel 배포 (우체통지기)

Gemini 키 대신 Supabase 키를 넣어서 배포합니다.

# SUPABASE_URL, SERVICE_KEY는 본인 프로젝트 설정 > API 메뉴에서 확인
vercel deploy --prod \
  --env SUPABASE_URL=https://... \
  --env SUPABASE_SERVICE_KEY=eyJ...

3. 오픈빌더 설정 (AI 챗봇)

  1. 설정 > AI 챗봇으로 전환 (필수! 콜백 기능을 위해 필요)
  2. 스킬 URL 등록 및 배포 (Basic 모드와 동일)

4. 로컬 왓처 실행 (본체)

내 컴퓨터에서 아래 스크립트를 실행해두면, 카톡 메시지를 처리합니다.

# ~/.openclaw/.env 파일에 SUPABASE_URL, SERVICE_KEY 저장 후:
python3 skills/kakaotalk/scripts/watcher.py

이제 컴퓨터가 켜져 있는 동안, 카톡 봇은 당신과 똑같은 지능을 갖게 됩니다.

🔧 고급 설정 (페르소나 변경)

봇의 말투나 역할을 바꾸고 싶다면, 배포할 때 환경변수를 추가하세요.

vercel deploy --prod \
  --env KAKAOTALK_SYSTEM_PROMPT="너는 친절한 고양이 로봇이야. 말 끝마다 '냥'을 붙여."

파일 구조

skills/kakaotalk/
├── api/
│   └── index.py      # Vercel 서버 (Basic/Relay 모드 자동 전환)
├── scripts/
│   └── watcher.py    # [Relay 모드용] 로컬 처리기
├── vercel.json       # Vercel 설정
└── SKILL.md          # 설명서

Comments

Loading comments...