Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
微信聊天记录知识卡片提取工具
v1.0.0微信聊天记录知识卡片提取工具。将WeFlow导出的JSON数据转换为个人知识库、知识卡片和个人分身训练数据。触发场景:(1) 用户需要分析微信聊天记录;(2) 从微信数据中提取知识卡片;(3) 构建个人知识库;(4) 整理客户画像;(5) 生成训练数据用于AI分身。
⭐ 0· 51·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill states its purpose is to convert WeFlow JSON into a personal knowledge base and store results in Feishu (多维表格/文档). However, the shipped Python (parse_weflow.py) only reads local JSON and writes a markdown file; it does not implement any Feishu API calls, nor does the manifest declare Feishu credentials, required binaries, or dependencies. Expectation: Feishu integration would normally require API tokens/SDKs or a CLI; those are not requested or provided, which is an incoherence between claimed purpose and actual capability.
Instruction Scope
SKILL.md instructs the agent to read WeFlow JSON files (e.g., cat /path/to/weflow_export/*.json) and to use tools referenced as feishu_bitable_app or feishu_create_doc to store results. Reading local chat-export files is consistent with the stated purpose, but references to feishu_* tools are vague and unsatisfied by code. The instructions do not ask the agent to read unrelated system files or secrets, which is good, but they leave unspecified where Feishu credentials should come from.
Install Mechanism
No install spec is provided (instruction-only with a small helper script). Nothing is downloaded or written to the system beyond using the included parse_weflow.py. This is low-risk from an installation perspective.
Credentials
No environment variables, credentials, or config paths are declared, yet the skill explicitly describes storing data into Feishu. Feishu access normally requires API tokens/credentials (e.g., app_id/app_secret, access token). The absence of any declared required credentials or guidance about where they come from is a mismatch and could lead to accidental exposure (if an agent tries to reuse unrelated credentials) or silent failure. Additionally, the skill processes sensitive personal data (WeChat messages) — storing/transmitting that data requires explicit auth and privacy controls, which are not described.
Persistence & Privilege
Flags show always:false and user-invocable:true; the skill does not request permanent presence or elevated platform privileges, and it does not attempt to modify other skills or system-wide settings. Autonomous invocation is allowed (default) but not combined with other red flags here.
What to consider before installing
This skill will parse local WeFlow JSON into a markdown knowledge card (parse_weflow.py does that and nothing more). However, SKILL.md promises automatic storage to Feishu using feishu_bitable_app / feishu_create_doc but the package provides no Feishu integration code or declared credentials. Before installing or running: 1) Confirm where Feishu auth would come from — ask the author for required env vars or an implementation of the Feishu calls. 2) If you plan to upload chat logs to any cloud service, ensure you have consent and appropriate privacy controls. 3) Inspect and run parse_weflow.py locally on sample data to verify behavior (it only writes a markdown file). 4) If you need Feishu automation, prefer a version that clearly documents required tokens, scopes, and uses official SDKs or well-known CLIs rather than relying on unspecified feishu_* tools. 5) If you do not intend to send data out, run the script offline and do not provide any credentials to the agent.Like a lobster shell, security has layers — review code before you run it.
chat-analysisvk97byxky02gnped08gkp3t9ews849kb1knowledgevk97byxky02gnped08gkp3t9ews849kb1latestvk97byxky02gnped08gkp3t9ews849kb1personal-aivk97byxky02gnped08gkp3t9ews849kb1wechatvk97byxky02gnped08gkp3t9ews849kb1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.