ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Knowledge Orchestrator

v1.0.0

统一管理和协调Zotero、Obsidian与IMA平台,实现跨平台文献搜索、笔记同步与关联功能。

0· 66·0 current·0 all-time
by@jirboy

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for jirboy/knowledge-orchestrator.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Knowledge Orchestrator" (jirboy/knowledge-orchestrator) from ClawHub.
Skill page: https://clawhub.ai/jirboy/knowledge-orchestrator
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install knowledge-orchestrator

ClawHub CLI

Package manager switcher

npx clawhub@latest install knowledge-orchestrator
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill declares no required environment variables or binaries in the registry, but the SKILL.md and code expect Zotero and IMA credentials stored under ~/.config (api_key, client_id) and import local submodules for Zotero/Obsidian. Requesting local config files and importing other modules is reasonable for a cross-platform orchestrator, but the registry should list these needs; the mismatch suggests incomplete or sloppy packaging.
!
Instruction Scope
SKILL.md explicitly instructs use of credential files at ~/.config/zotero/api_key and ~/.config/ima/{client_id,api_key}. The included Python script also modifies sys.path to import zotero/obsidian managers from parent directories. Those instructions require reading local sensitive files and executing code from adjacent modules — actions beyond a simple read-only 'search' description and not declared in the skill metadata.
Install Mechanism
No install spec (instruction-only) which reduces installer risk, but a non-trivial code file is included. The script depends on additional local modules (zotero-manager, obsidian-manager) that are not in the manifest; running the script will import and execute code from the filesystem, so the absence of those files in the package is a packaging / dependency concern.
!
Credentials
Registry lists no required environment variables or primary credential, yet SKILL.md and the code expect sensitive API keys stored in local config paths. Sensitive items (api_key, client_id) are referenced but not declared — this is disproportionate and increases the chance of surprise exposure if the agent reads those files. The skill also alters sys.path which could allow execution of arbitrary local code.
Persistence & Privilege
The skill does not request persistent 'always' inclusion and allows normal agent invocation. It does not declare actions that modify other skills or global agent config. No elevated platform privileges are requested in the manifest.
What to consider before installing
This skill appears to try to coordinate Zotero, Obsidian and an IMA service, which matches its name — but it is packaged poorly: it references sensitive config files (~/.config/zotero and ~/.config/ima) and imports local 'zotero-manager' and 'obsidian-manager' modules that are not included or declared. Before installing or running it: 1) treat it as untrusted code — inspect the missing modules (zotero_search.py, obsidian_search.py) and any network calls they make; 2) don't place real API keys in global ~/.config paths or run the skill on a machine with sensitive data until you verify what it reads/transmits; 3) prefer to run it in an isolated environment (VM/container) and monitor network traffic; 4) ask the publisher for the missing modules or a clear dependency list and for a project homepage or source repository to review. The issues look like sloppy packaging rather than clearly malicious intent, but the combination of undeclared credential access and dynamic imports is a real risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk970pw2hsv4m0t5yz6phg0z0yh851sky
66downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
@jirboy
latest
Download

⚠️ 已整合 - 请使用 knowledge 统一入口

本技能保留用于向后兼容,功能已整合到 knowledge 统一入口技能

推荐使用: knowledge search/sync/link [参数] 或直接使用本技能(自动转发)

Knowledge Orchestrator(兼容层)

知识库协调器,统一管理 Zotero + Obsidian + IMA 三个平台。

迁移指南

新用法:

knowledge search RTHS --all
knowledge sync 笔记名称 --to-ima
knowledge link 10.1002/eqe.1234 RTHS 综述

旧用法(仍然可用):

search RTHS --all
sync 笔记名称 --to-ima

核心功能

  • 🔍 统一搜索(跨平台)
  • ☁️ 云端同步(IMA)
  • 🔗 关联文献和笔记

配置要求

服务配置文件说明
Zotero~/.config/zotero/api_key文献库访问
IMA~/.config/ima/client_id客户端 ID
IMA~/.config/ima/api_keyAPI 密钥

安全说明

  • ✅ 仅发送到官方 API(api.zotero.org, ima.qq.com)
  • ❌ 不要分享凭据
  • ❌ 不要硬编码在脚本中

Comments

Loading comments...