v1.0.0

Display Name: ChatMerge - 智能多渠道聊天纪要助手

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:14 AM.

Analysis

ChatMerge appears useful and purpose-aligned, but it asks for broad access to private chats, work-account tokens, long-running monitoring, cross-session notifications, and automated task/posting actions that users should review carefully before installing.

GuidanceInstall only if you are comfortable giving this skill access to selected chat and work accounts. Use dedicated low-privilege tokens, restrict it to specific channels, avoid broad “all channels” discovery where possible, require review before creating tasks or sending summaries, and regularly audit or disable scheduled reports and real-time monitors.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

`allowed-tools: ["message", "bash", "read", "write", "sessions_send"]` ... `Jira: 自动创建 ticket` ... `GitHub: 自动创建 issue` ... `日历: 自动添加提醒`

The skill grants broad tools, including bash/write/cross-session sending, and documents automated mutations in external business systems.

User impactA summary or extracted action item could lead to new tickets, issues, reminders, files, or messages in connected systems if approvals and scopes are not tightly controlled.

RecommendationRequire explicit confirmation for every write, task creation, reminder, message send, or status update; disable bash unless a specific, reviewed command path is necessary.

Rogue Agents

SeverityHighConfidenceHighStatusConcern

QUICKSTART.md

`设置一次，永久自动` ... `实时监控会一直运行吗？ A: 是的，直到你手动停止监控。`

The artifacts explicitly describe persistent scheduled jobs and continuous monitoring that continue after the initial user request.

User impactThe skill may keep reading channels, generating reports, and sending notifications over time unless the user remembers to stop or delete the automation.

RecommendationSet clear expiration dates, review all active schedules/monitors regularly, and require per-channel and per-destination approval before enabling persistent automation.

Cascading Failures

SeverityMediumConfidenceMediumStatusConcern

ADVANCED_FEATURES.md

`output_to: "slack:#standup-notes"` ... `output_to: "email:boss@company.com"` ... `output_to: "notion:page_id_xxx"` ... `auto_update: true`

Scheduled outputs and automatic updates can propagate an incorrect summary or extracted action item into shared channels, email, Notion, and task systems.

User impactA mistaken or manipulated chat summary could be distributed to teams or managers, or update task systems, before a human catches the error.

RecommendationUse human review for external distribution and automatic updates, especially for executive emails, public/shared channels, Jira/GitHub/Notion changes, and overdue reminders.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

QUICKSTART.md

编辑 `~/.openclaw/openclaw.json` ... `"token": "YOUR_DISCORD_BOT_TOKEN"` ... `"botToken": "xoxb-your-bot-token", "appToken": "xapp-your-app-token"`

Direct-read mode depends on delegated chat-platform credentials and local account configuration, giving the agent access to potentially private or business chat data.

User impactInstalling and configuring this skill may let the agent read messages from connected work or personal chat accounts, depending on the bot/token permissions.

RecommendationUse least-privilege bot tokens, limit channel access, avoid personal/admin tokens, and verify exactly which accounts and channels are connected before enabling direct reads.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusConcern

BUG_FIXES.md

`sessions_send` - 用于跨会话通信（实时监控、定时纪要）

The skill documents cross-session communication for monitoring and scheduled reports, but the artifacts do not bound recipient identity, session scope, or data minimization.

User impactPrivate chat summaries or alerts could be sent into other sessions or contexts if cross-session targets are misconfigured or too broad.

RecommendationOnly allow cross-session sends to explicitly named user-approved destinations, and include previews before any private chat content is forwarded.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusConcern

SKILL.md

`根据用户历史使用习惯推荐` ... `配置已保存` ... `我会持续跟踪进度` ... `从后续聊天中识别任务完成`

The skill uses historical behavior, saved configuration, and later chat content for ongoing recommendations and task-state updates without clearly defining retention or trust boundaries.

User impactOld chat context or inaccurate later messages could influence future recommendations, task status, or reports.

RecommendationDefine what state is saved, how long it is retained, how users can delete it, and require confirmation before chat-derived statements update persistent task status.