Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Meeting Minutes Generator
v1.0.2将中文会议文本转换为结构化纪要,自动提取议题、参与者、行动项及截止日期,支持Markdown、纯文本和JSON格式。
⭐ 0· 123·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code implements Chinese meeting parsing, action extraction, summary generation and formatting which matches the skill name/description. However there are mismatches: SKILL.md asserts "零外部依赖(pure Python standard library)" while the code references external packages (requests, whisper) and networked STT backends; package.json (present though this is a Python project) declares requiredEnv for OPENAI_API_KEY and SENSEVOICE_API_KEY even though registry metadata listed no required envs. These inconsistencies reduce trust in the declared purpose/capability mapping.
Instruction Scope
SKILL.md shows only local usage examples for generate_minutes and mentions STT as optional, but does not clearly warn that using audio/STT can upload audio to third-party services. The stt_interface module will (when used) call external endpoints: OpenAI's transcription API and a SenseVoice API URL (both via HTTP POST). SKILL.md also claims zero external deps which is false. The runtime instructions therefore omit important external-network behavior and dependency requirements.
Install Mechanism
There is no install spec (instruction-only in registry), which is low risk. However the package contains multiple Python source files (not just a SKILL.md). Also an npm-style package.json exists in a Python project — unexpected and suggests packaging metadata wasn't synchronized. No remote downloads or installers are used, so no high-risk install mechanism is present.
Credentials
Registry metadata claimed no required env vars, but package.json lists OPENAI_API_KEY and SENSEVOICE_API_KEY. The code conditionally reads OPENAI_API_KEY, SENSEVOICE_API_KEY and SENSEVOICE_API_URL to call remote STT services; these credentials are sensitive. Requiring them unconditionally (as package.json implies) would be disproportionate since STT is optional — the skill can operate on text-only input without them. This mismatch is a red flag: do not supply credentials unless you intend to use STT and trust the endpoint.
Persistence & Privilege
Flags show always:false and normal user-invocable/autonomous settings. The skill does not request persistent agent-wide privileges or modify other skills. It does not install background services or alter system-wide configs.
What to consider before installing
This skill's functionality (parsing Chinese meeting text, extracting actions and formatting output) appears legitimate, but there are several inconsistencies you should resolve before trusting it: 1) SKILL.md claims "zero external dependencies" but the code imports requests and can call external STT APIs (OpenAI / SenseVoice) and may require whisper for local STT. 2) package.json lists requiredEnv (OPENAI_API_KEY, SENSEVOICE_API_KEY) even though registry metadata shows no required envs and the code treats those keys as optional for STT. 3) The repository/source is unknown and homepage is missing; SKILL.md includes links and commercial pricing claims — verify the origin and license. Recommended actions: - If you only plan to use text input, you can run the Python code locally without providing API keys; still inspect the code locally. - Do not provide OPENAI_API_KEY or SENSEVOICE_API_KEY unless you understand and trust the external endpoint (check SENSEVOICE_API_URL). - Audit stt_interface.py to confirm exactly what data would be uploaded and to which URL before using audio-to-text features. - Consider running the included tests in an isolated sandbox to verify behavior. - Ask the publisher to clarify the package.json vs registry metadata mismatch and the "zero external dependencies" claim. If you need help reviewing any specific lines or running the tests safely, I can help step through that.Like a lobster shell, security has layers — review code before you run it.
latestvk9736t8kt2ra5ekhz0zf3ydnb183958b
License
MIT-0
Free to use, modify, and redistribute. No attribution required.