Wine Archive
v0.1.7Store, recall, and manage personal wine tastings and labels using natural language queries with durable image storage in a local SQLite database.
⭐ 1· 58·0 current·0 all-time
bySimon I Dvorak@sidvorak
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the code and scripts: local SQLite DB, label image archiving, natural-language parsing, optional LLM intent classification, and an OpenClaw/Telegram bridge. Declared optional env vars (ANTHROPIC_API_KEY, OPENAI_API_KEY, WINE_DB_PATH, etc.) align with documented optional features. Dependencies (@anthropic-ai/sdk, better-sqlite3) are appropriate for the stated functionality.
Instruction Scope
SKILL.md and scripts instruct the agent to run npm scripts, read/write the local DB (data/wine/*), copy/serve label image files, and (optionally) call the OpenClaw CLI to send Telegram media. All of this is within the stated purpose. Note: export (--include-images) will embed image bytes in a JSON export and import may write those images back to disk — these are user-initiated operations that can move your local images into a portable file.
Install Mechanism
There is no platform install spec in the registry metadata (instruction-only at install time), but the package includes package.json/package-lock and depends on native modules (better-sqlite3) and an LLM SDK. npm install (or setup.sh) will pull packages and build native addons; that is expected but means network access and build steps occur during install. No downloads from unknown personal servers or URL shorteners were observed.
Credentials
No required secret env vars are declared by default. Optional keys (ANTHROPIC_API_KEY, OPENAI_API_KEY) are clearly documented and only used for optional LLM features. No unrelated credentials (AWS, SSH keys, etc.) are requested. The skill will read/write local file paths and the DB path can be overridden via WINE_DB_PATH.
Persistence & Privilege
Skill does not request 'always: true' and follows normal agent invocation. It stores data under its own data/wine directory and writes an append-only audit.log there; it does not modify other skills' configs or system-wide settings. Files are written only when invoked (e.g., add/import/export actions).
Assessment
This skill appears to do what it says: local SQLite storage of wine entries and images, optional LLM intent classification, and an OpenClaw Telegram bridge. Things to consider before installing:
- Review setup.sh before running it; installation runs npm which will fetch/build native modules (better-sqlite3) and may run build scripts.
- LLM API keys (Anthropic/OpenAI) are optional — only set them if you want LLM intent classification. Keep those keys secret and only add them to a local .env you control.
- The skill will copy any file path you pass as an image into data/wine/labels. Do not point it at sensitive system files (e.g., /etc/*) when using commands that accept --image or when importing exports with embedded images.
- Export (--include-images) will embed label images (base64) into a JSON file; treat that file as sensitive if it contains images from your archive.
- If you use the Telegram bridge, confirm OpenClaw/Telegram credentials are configured separately and that you trust the target Telegram channel — the skill constructs and emits an openclaw CLI command to send media but does not itself hold external bot credentials.
If you want higher assurance, inspect setup.sh, scripts/wine-service.js, and shared/llm-router (the LLM call path) locally before running npm install and using the skill.Like a lobster shell, security has layers — review code before you run it.
latestvk97c03c08qd5kbr9ye9br092v984wgbz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.