Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (memorial archives, persona reconstruction, voice cloning) match the included tools: chat parsers, photo analyzer, audio transcriber/preprocessor, voice trainer/synthesizer, skill_writer, and prompts. Requiring access to local chat exports, audio and photos is expected for this purpose.
Instruction Scope
SKILL.md explicitly instructs running local Python tools (wechat extraction, preprocess, transcription, training, synthesis) and to read/write files under memorials/{slug}/. All actions are within the stated scope, but several are high-impact: decrypt/parse WeChat exports, read chat databases and audio files, and train local voice models. The instructions repeatedly assert "data only local," but you should confirm the scripts do not contain unexpected network calls before running.
Install Mechanism
No install spec for the skill itself (instruction-only frontmatter), which lowers installer risk. The README/INSTALL recommend cloning external repos and downloading large ML models (openai-whisper, GPT-SoVITS, PyTorch CUDA wheels, pretrained weights). Those downloads are expected for voice cloning but will pull code/data from third-party sources (GitHub, PyTorch), so verify sources and be prepared for large network transfers.
Credentials
The registry metadata declares no required env vars, no credentials, and no config paths. The toolset operates on user-provided local files (chat exports, audio, photos). The lack of requested secrets is consistent with the described offline/local design.
Persistence & Privilege
The skill is user-invocable, not always-on. It requests file read/write and Bash tool use (for running the included scripts), which is necessary for creating and updating memorials; it does not request elevated persistent platform privileges in the metadata.
Assessment
This repo appears internally consistent with its purpose: it processes local chat logs, photos and audio to build memorial archives and optionally trains a local voice model. Before installing or running: 1) Review the Python scripts (especially wechat_voice_extractor.py, voice_trainer.py, voice_synthesizer.py) for any network calls or unexpected behavior; run them in a sandbox or VM if possible. 2) Expect large downloads (Whisper models, PyTorch/CUDA wheels, GPT-SoVITS weights) and GPU needs for voice training. 3) The skill requires access to sensitive personal data (chat histories, voice messages, photos). Ensure you have consent from data owners and comply with local laws/ethics, especially for voice cloning of deceased persons. 4) Prefer to keep memorials on an isolated disk and back up before bulk operations; verify the toolchain's source URLs (GitHub repos) and checksum downloaded models. 5) If you cannot audit the code fully, avoid running the extraction/training steps that touch system files (WeChat DB) or run them in an isolated environment.Like a lobster shell, security has layers — review code before you run it.
latestvk97bxxpety0xmntw08tezqh8jh84581h
License
MIT-0
Free to use, modify, and redistribute. No attribution required.