Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the code and SKILL.md: the skill analyzes books and emits insights/evergreen-note links. However, requirements.txt includes openai and obsidian-api even though the shipped code is a local placeholder and the skill does not declare or document required credentials or where Obsidian integration would connect. This is likely sloppy packaging rather than outright malicious, but it's an unexplained dependency.
Instruction Scope
SKILL.md describes inputs (book_title, optional book_file, user_notes) and outputs and does not instruct reading unrelated files, environment variables, or external endpoints. The runtime instructions explicitly say OpenAI or other model calls are a placeholder and should be replaced in the hosting environment.
Install Mechanism
There is no install spec (instruction-only behavior) which is low-risk. But a requirements.txt lists third-party packages (openai, pandas, markdown, obsidian-api). Installing those packages would pull code from PyPI; obsidian-api and openai are notable because they may enable network calls. The repository does not provide an install script or pin trusted release sources.
Credentials
The code imports openai (and requirements list openai) but the skill does not declare any required environment variables (e.g., OPENAI_API_KEY). If the placeholder were replaced with actual API calls, an API key would be needed — this mismatch is unexplained. Similarly, obsidian-api suggests possible integration with a user's Obsidian vault or service, but no config variables or paths are declared. Requesting secrets or vault access without documenting why is a proportionality concern.
Persistence & Privilege
Skill does not request always:true, requires no special config paths, and has no install script that modifies other skills or system-wide settings. It appears to be a normal, non-persistent skill.
What to consider before installing
This skill appears to do what it says (deep book analysis) and its code is a safe placeholder, but there are a few red flags to check before installing:
- The project lists openai and obsidian-api in requirements but does not declare any environment variables (e.g., OPENAI_API_KEY) or explain how Obsidian integration is configured. Ask the author or documentation how API keys or Obsidian credentials are expected to be provided.
- If you install dependencies, they will be fetched from PyPI; review those packages (especially obsidian-api) to ensure you trust them.
- If you must provide an API key (OpenAI or similar) or Obsidian credentials, limit the key permissions and avoid sharing highly privileged credentials.
- Prefer running this in a sandboxed environment and inspect/modify the code yourself to ensure it only calls the services you expect (or remove the unused dependencies if you won't use them).
If the author can confirm how API keys and Obsidian integration should be provided (or remove those dependencies if unused), the inconsistencies would be resolved and the skill would be reasonable to use.Like a lobster shell, security has layers — review code before you run it.
latest
Deep Read
显示名称: Deep Read
版本: 1.0.0
描述: 基于研究驱动方法,对书籍进行深度分析,提炼核心观点、金句,并生成实际应用指导和关联常青笔记。
作者: Zhu Bao
输入参数
book_title(string, 必填):书名book_file(file, 可选):书籍文件(PDF/EPUB/TXT)user_notes(list, 可选):用户已录入的笔记,用于生成关联常青笔记
输出参数
author_info(string):作者介绍(生平、教育、主要著作、影响等)creation_context(string):创作背景(时间、社会环境、动机、评论等)book_outline(string):章节结构、大纲及核心观点main_content(string):书籍主要内容解读与分析core_insights(string):书籍最重要思想和见解key_quotes(list):引人深思的金句及分析application_examples(list):生活、学习和工作中的应用指导related_evergreen_notes(list):基于用户笔记生成的常青笔记标题及链接
标签
#deep-reading #knowledge-management #research-driven #book-analysis #insights
使用示例
from deep_read_generator import deep_read_analysis
result = deep_read_analysis(
book_title="原则",
user_notes=["已读章节摘要", "高亮笔记"]
)
print(result['core_insights'])
print(result['application_examples'])
print(result['related_evergreen_notes'])
Comments
Loading comments...