Mult Call

This skill appears to implement the advertised recall functionality, but there are some mismatches and environment handling risks you should address before installing: - The skill's SKILL.md expects Neo4j/Milvus credentials (NEO4J_*, MILVUS_*, EMBEDDING_*, etc.) even though the registry lists no required env vars. Treat any .env values as sensitive — the skill may use them to connect to your services. - index.js reads a parent ../.env file and injects those variables into process.env, then forwards the entire environment to the Python subprocess. If your repo .env (or any existing env vars) contains unrelated secrets (cloud keys, tokens), those will be accessible to this skill. Consider removing or sanitizing such secrets before running. - If you plan to enable realtime Neo4j/Milvus integration, provide only least-privileged credentials and test in a sandbox. If you do not want the skill to access external services, run it in an environment without those .env keys or with dummy credentials — the Python class is written to degrade to a default DDL and empty QA list when services are not injected. - If you need stronger assurance, open the full multi_call.py file (the part that may create service clients from environment) and confirm it does not transmit data to unexpected endpoints. Alternatively, run the skill locally in an isolated container to observe its outgoing connections. Given the mismatch between declared requirements and the code's env handling, proceed cautiously and avoid exposing production secrets to this skill until you confirm which environment variables it will actually use.

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.