中文AI知识管理
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a coherent knowledge-base tool, but it can persist agent logs and send selected content to AI providers when optional AI features are used.
This skill is reasonable to install if you want a local Chinese knowledge-management workflow. Before enabling AI extraction, semantic deduplication, or daily Heartbeat sync, confirm which logs or dumps will be processed, verify provider endpoints and API keys, use dry-run for sync, and manually review extracted drafts before importing them.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Information from agent logs may become long-lived local memory and influence future knowledge lookups or summaries.
The skill intentionally turns agent logs into persistent knowledge-base content, so sensitive or mistaken log entries may be preserved and reused later.
将 agent 的日志自动沉淀为结构化知识库。核心流程由确定性脚本驱动
Avoid syncing secrets or private material into logs, review generated knowledge regularly, and use dry-run when checking new sync behavior.
Conversation dumps or log snippets processed with AI features may be sent to the configured embedding or LLM provider.
Optional AI features use external provider APIs for embeddings and conversation extraction, meaning selected content may leave the local machine when those features are invoked.
Semantic dedup via bge-m3 embedding (SiliconFlow / OpenAI compatible) ... LLM conversation knowledge extraction
Verify provider endpoints and data-handling policies before using --semantic or extract, and keep core sync offline if the logs contain sensitive information.
Installed users may need to grant the skill access to AI-provider accounts through environment variables.
The skill relies on provider API keys for optional AI functions. This is expected for the documented integrations, and the provided artifacts do not show hardcoded keys or credential logging.
export SILICONFLOW_API_KEY=your-key # for semantic dedup export ARK_API_KEY=your-key # for LLM extraction
Use least-privilege provider keys where possible, store them securely, and do not configure AI credentials unless you plan to use those features.
If Heartbeat is enabled, the knowledge base may be updated daily without a fresh manual command each time.
The skill documents recurring daily synchronization. It is disclosed and aligned with the purpose, but it is still autonomous recurring behavior that updates local knowledge files.
Heartbeat 定时触发(每日一次 sync) ... 每日 Heartbeat 应运行 `node {baseDir}/km.js sync --days 1`Enable daily Heartbeat only if you want automatic knowledge-base updates, and periodically review the generated files.
Users have less registry-level assurance about the origin of the packaged skill.
The registry metadata does not provide clear source provenance, even though the included files contain README and clawhub metadata with GitHub references. This is a provenance note, not evidence of malicious behavior.
Source: unknown Homepage: none
Install from a trusted registry entry and compare the package with the intended upstream repository if provenance matters for your environment.