ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Idea Vault

v1.0.1

Save and organize links, notes, and timestamps into a searchable Idea Vault. Use when a user drops a YouTube/web link (or just notes), then says “/vault” or...

0· 340·0 current·0 all-time
byLiam@loughness
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the actual capabilities: extracting captures from chat, fetching YouTube transcripts, saving markdown entries and an index. Required binary (python3) and the transcript API key (IDEA_VAULT_TRANSCRIPTAPI_KEY) are expected for this functionality. Minor inconsistency: SKILL.md calls the transcript API key "strongly recommended" while registry metadata marks it as the primaryEnv, but this is a small documentation mismatch rather than a functional mismatch.
Instruction Scope
Runtime instructions are narrowly scoped to: reading recent chat messages (provided to the extractor via stdin/messages.json), fetching transcripts from YouTube/TranscriptAPI, creating local files under a vault directory, and optionally downloading attachments. The SKILL.md explicitly warns about external network calls and does not instruct reading unrelated system files or secrets.
Install Mechanism
There is no automatic install step in the registry (user runs pip install -r requirements.txt). The requirements are minimal (requests). No remote, untrusted archives or opaque installers are fetched by the install process declared in the skill; only user-invoked package installation is recommended.
Credentials
The skill declares a single primary credential (IDEA_VAULT_TRANSCRIPTAPI_KEY) which maps to the TranscriptAPI calls; other optional env vars (e.g., IDEA_VAULT_DIR, YTDLP-related vars) are mentioned but not required. This is generally proportionate, though the metadata/README wording about which vars are required vs. recommended is slightly inconsistent and should be clarified before deployment.
Persistence & Privilege
always:false and no code indicates modification of other skills or system-wide settings. The skill writes to a local vault directory (user-configurable) and caches transcripts; this is expected behavior and limited in scope.
Assessment
This skill appears to do what it claims: capture chat drops and optionally fetch YouTube transcripts. Before installing: (1) confirm you are comfortable with outbound requests to YouTube and transcriptapi.com (the transcript API key is used for TranscriptAPI); (2) pick a safe VAULT_DIR and avoid storing sensitive private chat content there; (3) keep API keys in environment variables and out of commits; (4) review that downloading attachments (the script can save assets) fits your security policy; and (5) if you rely on yt-dlp, ensure that binary and any cookies you provide are trustworthy. The transcript API key being marked as primary in metadata but described as "recommended" in docs is a minor documentation mismatch—clarify whether the key is mandatory for your use case.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binspython3
Primary envIDEA_VAULT_TRANSCRIPTAPI_KEY
knowledge-managementvk97862ff8nxhgfwfc82x561d7182bd6dlatestvk97862ff8nxhgfwfc82x561d7182bd6dproductivityvk97862ff8nxhgfwfc82x561d7182bd6d
340downloads
0stars
2versions
Updated 2d ago
v1.0.1
MIT-0
Liam@loughness
knowledge-managementlatestproductivity
Download

Idea Vault (Public)

A lightweight capture → organize → retrieve workflow.

Goal

Turn messy chat drops (links + rough notes + timestamps) into structured markdown entries and a searchable index.

One-time setup (required)

Run this once after cloning the skill so OpenClaw can execute it reliably:

cd ~/.openclaw/skills/idea-vault
python3 --version
python3 -m pip install -r requirements.txt

Environment setup (recommended):

cp .env.example .env
# then set IDEA_VAULT_TRANSCRIPTAPI_KEY and IDEA_VAULT_DIR in your shell/env manager

Notes:

  • Python 3 is required.
  • requests from requirements.txt is required.
  • IDEA_VAULT_TRANSCRIPTAPI_KEY is strongly recommended for reliable YouTube transcripts.
  • yt-dlp is optional fallback for some videos/environments.

Privacy and network behavior

This skill can make outbound network calls to:

  • youtube.com (video/transcript fallback paths)
  • transcriptapi.com (when IDEA_VAULT_TRANSCRIPTAPI_KEY is set)
  • source/asset URLs included in captured messages

Security notes:

  • The helper uses subprocess.run([...], shell=False) for yt-dlp (no shell string execution).
  • Do not use this skill with sensitive private chat content unless you are comfortable with these external calls.
  • Keep API keys in environment variables only; never commit secrets.

Inputs supported

  • YouTube links + notes + optional timestamps
  • Web links + notes
  • Note-only captures (no link)

Recommended path setup (portable)

Use an environment variable or local default path:

VAULT_DIR="${IDEA_VAULT_DIR:-$HOME/workspace/idea-vault}"
CACHE_DIR="$VAULT_DIR/_cache"

Core flow (triggered by /vault or vault)

  1. Read recent messages in the current chat.
  2. Extract the newest capture block.
  3. If source is YouTube, fetch transcript + optional clips around timestamps.
  4. Write summary/elaboration/tags/associations.
  5. Upsert into vault (append addendum on duplicate URL/video).

Commands

Extract capture

python3 ./scripts/idea_vault.py extract --user-id <author.id> --fallback-messages 30 < messages.json > capture.json

Fetch transcript (YouTube only)

Preferred source is TranscriptAPI via IDEA_VAULT_TRANSCRIPTAPI_KEY.

python3 ./scripts/idea_vault.py fetch --cache-dir "$CACHE_DIR" < capture.json > youtube.json

Save / upsert entry

python3 ./scripts/idea_vault.py upsert --vault-dir "$VAULT_DIR" < save_request.json > saved.json

Query vault

python3 ./scripts/idea_vault.py query --vault-dir "$VAULT_DIR" --limit 50
python3 ./scripts/idea_vault.py query --vault-dir "$VAULT_DIR" --since 2026-03-01
python3 ./scripts/idea_vault.py query --vault-dir "$VAULT_DIR" --channel "podcast" --text "pricing"

Annotate latest entry

python3 ./scripts/idea_vault.py annotate --vault-dir "$VAULT_DIR" --last --star true --priority high --add-tag actionable

save_request.json shape

{
  "capture": {"...": "from extract"},
  "source": {
    "kind": "youtube|web|note",
    "url": "https://... (optional)",
    "title": "string (optional)",
    "author": "string (optional)",
    "id": "string (optional)",
    "transcript_txt": "/path/to/transcript.txt (youtube only, optional)",
    "transcript_json": "/path/to/raw.json (youtube only, optional)",
    "clips": [{"center_sec": 123, "window_sec": 60, "text": "..."}]
  },
  "summary": "string",
  "elaboration": "string",
  "tags": ["tag"],
  "associations": [{"timestamp_sec": 1461, "note": "..."}]
}

Output layout

Under VAULT_DIR:

  • entries/YYYY/YYYY-MM-DD__<slug>__[<suffix>].md
  • transcripts/YYYY/<id>.transcript.txt (YouTube only)
  • assets/YYYY/MM/* (optional attachments)
  • index.json
  • _cache/

Agent response style after save

Reply with:

  • title + link
  • 3–6 concise bullets
  • relevant clips for flagged timestamps (if present)
  • saved file path

Comments

Loading comments...