smart-collect
v1.0.0分析和总结URL链接内容,并保存到obsidian中,同时定期提醒复习
⭐ 0· 139·1 current·1 all-time
bymickey@nbutmickey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (collect URLs, summarize, save to Obsidian, schedule reviews) match the included code: fetcher, LLM wrapper, markdown store, and review engine. The skill expects an LLM/feishu configuration in config.json.example (documented in SKILL.md) which is coherent with the LLM and notifier code. Minor note: the published metadata lists no required env vars but the code can use a DeepSeek API key (process.env.DEEPSEEK_API_KEY) and accepts feishu config — this is optional in practice but is not reflected in the registry metadata.
Instruction Scope
SKILL.md instructs adding a cron job to run the review script; scripts read/write Markdown files under a user-specified storagePath (defaults to ~/Desktop/Obsidian/Star). The fetcher fetches arbitrary user-provided URLs (outbound HTTP(S) calls) and can call an LLM endpoint. The browser-based scraping path references a local snapshot endpoint (http://127.0.0.1:18800/snapshot?url=...) — this is not external but will attempt to use a local service if available. Overall the instructions stay within purpose, but you should be aware scheduled runs will perform network requests and create/update files in your home directory.
Install Mechanism
No install spec; this is instruction + code only and does not pull executables from external URLs. That minimizes install-time risk. The code uses Node standard libs and child_process is referenced but not used to execute arbitrary external binaries.
Credentials
The skill does not declare required env vars in the registry, but the code supports using a DeepSeek API key (process.env.DEEPSEEK_API_KEY) and expects an LLM/Feishu configuration in config.json. Requesting an LLM API key or notifier config is proportionate to the stated functionality; however, the metadata could be clearer about optional credentials so users know to provide them before use.
Persistence & Privilege
always:false (normal). The skill will create files in the specified storage path (default in the user's home directory) and SKILL.md suggests adding a scheduled job to OpenClaw's jobs.json to run the review script daily — that requires editing OpenClaw configuration but the skill itself does not force-enable itself or modify other skills. Scheduled execution means network fetches and file writes will occur unattended when the job runs; review config carefully before enabling scheduling.
Assessment
This skill appears to do what it says, but before installing or enabling scheduled runs: 1) open config.json.example and verify storagePath (change it if you don't want files written to the default ~/Desktop/Obsidian/Star); 2) if you provide an LLM API key, understand LLM calls will go to the configured service (DeepSeek by default) — only provide keys for services you trust; 3) the reviewer/cron suggestion will cause the review script to run automatically and fetch user-provided URLs (outbound network activity) — only schedule it if you trust the skill and the URLs it will fetch; 4) the fetcher may try to use a local snapshot service at 127.0.0.1:18800 for dynamic pages — ensure that local service is trusted; 5) review or run the scripts manually first (node scripts/shoucang-add.js, node scripts/shoucang-review.js) to confirm behavior before adding to OpenClaw cron. If you want higher assurance, inspect config.json you create and run the scripts in a contained environment before enabling automation.lib/fetcher.js:13
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.Like a lobster shell, security has layers — review code before you run it.
latestvk97egya8c2d50x38zhjy5d7qcd83934d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.