ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI会议纪要生成器

v1.0.0

AI 会议纪要生成器 - 自动整理会议录音或文字记录,生成结构化会议纪要。支持提取待办事项、决策点、关键结论,输出专业格式的会议文档。

0· 90·0 current·0 all-time
by@ryan-wuxl
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims transcription and GPT-based analysis and shows example commands that run node scripts (scripts/minutes.mjs), but the registry bundle contains only README.md and SKILL.md — the actual scripts are missing. The README also names external services (Whisper API, GPT API) while the skill declares no required env vars or credentials. This mismatch suggests the package is incomplete or is relying on external downloads/install steps that are not provided.
Instruction Scope
Runtime instructions are limited and explicit (run node scripts with an input file or audio), and do not instruct sweeping system access. However they are vague about how transcription and API calls are authenticated/performed. Because the referenced scripts are not included, the agent or user may attempt to fetch or install code from the homepage or other sources — that network activity and any data sent to external APIs is not specified in the SKILL.md.
!
Install Mechanism
There is no install spec (instruction-only), which is low-risk by itself, but the provided usage assumes local Node scripts exist. The lack of included code combined with no install instructions means a human or agent would need to fetch code from the homepage or elsewhere; fetching and executing external JS without review is risky.
!
Credentials
The README/architecture mention Whisper API and GPT API, which normally require API keys, but the skill declares no required environment variables or primary credential. This is inconsistent: either the skill does not actually call those services, or it expects credentials to be supplied out-of-band (not declared). Missing declared credentials is a red flag for completeness and for potential unexpected prompts to provide secrets at runtime.
Persistence & Privilege
The skill does not request persistent/always-on privileges (always:false) and does not declare any config paths or privileged system changes. There is no evidence it modifies other skills or agent-wide settings.
What to consider before installing
Do not run node scripts from this package without first verifying the source code. Steps to take before using: 1) Visit the declared homepage (https://github.com/openclaw/ai-meeting-minutes) and confirm the repository contains the scripts/minutes.mjs and review them for network calls and unsafe behavior. 2) Verify how Whisper/GPT API keys are provided — avoid entering secrets into prompts; prefer documented environment variables or credentials stored securely. 3) If you must run the tool locally, fetch a released tarball or official package, inspect the code (especially network access and remote endpoints), and run it in a sandboxed environment with non-sensitive test data first. 4) If the package should have included scripts but did not, treat the omission as incomplete/possibly malicious and prefer obtaining the tool from a trusted release or maintainer. If you want, provide the repository URL or the missing scripts and I can inspect them for network endpoints, credential usage, and suspicious patterns.

Like a lobster shell, security has layers — review code before you run it.

latestvk974654pnagwsz84jkcemtgf8183903g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📝 Clawdis
Binsnode

Comments