puzle-read
v0.1.5Connect to Puzle Read — an intelligent reading workbench that helps users turn articles and documents into searchable personal knowledge. Save web articles (...
⭐ 2· 134·1 current·1 all-time
by@zinklu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill name, SKILL.md, and bundled Python SDK implement a reading library client (save URLs, upload files, search) and are consistent with the description. Minor metadata mismatch: registry metadata lists no primary credential, but SKILL.md documents a device-auth JWT stored in ~/.config/puzle/config.json as the primary credential — this is implementation-local (file-based) rather than an environment variable.
Instruction Scope
Runtime instructions are scoped to: checking/setting a local token, instructing the user through a device-auth flow, and saving/processing URLs or local files. The skill reads local files only when the user asks to upload them and sends them to the Puzle service. There are no instructions to read unrelated system files, environment variables, or to transmit data to unexpected endpoints.
Install Mechanism
No install spec or external downloads; the SDK is bundled as scripts/puzle_reading.py. It requires Python and the requests library (documented). Nothing is written to the system beyond the client’s own config file when authorizing.
Credentials
The skill does not request environment variables or external credentials. It does require a user JWT obtained via device-auth; that token is saved to ~/.config/puzle/config.json (the code sets file permissions to 0600). The token handling is local (not placed into env vars or logs) per SKILL.md and code. Users should note the registry metadata did not declare this credential even though the SKILL.md explains the device-auth token flow.
Persistence & Privilege
always:false (default). The skill writes only its own config file (~/.config/puzle/config.json) to store the token and does not request system-wide privileges or modify other skills. Autonomous invocation is allowed by default but not combined with elevated privileges here.
Assessment
This skill implements a normal client/CLI for the Puzle Read service. Before installing: (1) Confirm you trust the external host (https://read-web.puzle.com.cn) and review its privacy/retention policy — uploaded files (PDFs, images, audio, etc.) are sent to that service. (2) Do not upload sensitive or regulated data unless you accept that external processing and storage. (3) The device-auth flow requires you to paste a short authorization code; the resulting JWT is stored locally at ~/.config/puzle/config.json (file is created with 0600 perms). (4) Note a minor metadata inconsistency: the SKILL.md documents this token flow but the registry entry did not declare a primary credential. If you need higher assurance, inspect scripts/puzle_reading.py yourself or avoid uploading confidential files.Like a lobster shell, security has layers — review code before you run it.
alphavk979vgg48hansbs53t7xweay55833r6xlatestvk973fmktzespaypb1c23n52jyn842y49
License
MIT-0
Free to use, modify, and redistribute. No attribution required.