Wrap a local openclaw_capture_workflow checkout as an OpenClaw/ClawHub skill that captures links, text, images, and videos, routes STT by platform, and fans...
Security Analysis
medium confidenceThe skill largely does what its description says (dispatches capture payloads into a local workflow and fans out to Telegram/Feishu), but the registry metadata (no env/config requirements) is inconsistent with the code and SKILL.md which require many secrets, write to disk, and execute local subprocesses — so review is needed before installing.
The code and SKILL.md match the described purpose (wrapping a local openclaw_capture_workflow and fanning out results). However the registry metadata claims no required env vars/config paths while the SKILL.md and code require many environment settings (model API key, Telegram bot token, Feishu webhook, legacy project root, backend mode/URL, etc.) and will read legacy project files. That mismatch is an incoherence that could mislead users about secrets the skill needs.
SKILL.md instructs the agent to normalize a payload and run scripts/dispatch_capture.py (or pipe JSON). The runtime will import and execute the local openclaw_capture_workflow code (library mode) or POST to a backend (http mode), call external model APIs, and send requests to Telegram/Feishu webhooks. It may also execute a user-provided local STT CLI command via subprocess. These actions are within the skill's purpose, but they entail reading local project files, creating state/artifact directories, writing notes to an Obsidian vault, and making network calls — all of which the user should expect and review.
No install spec; code is bundled with the skill and nothing is downloaded or executed at install. This minimizes supply-chain risk from remote installs.
The SKILL.md and code require multiple environment variables that are sensitive (OPENCLAW_CAPTURE_MODEL_API_KEY, OPENCLAW_CAPTURE_TELEGRAM_BOT_TOKEN, OPENCLAW_CAPTURE_FEISHU_WEBHOOK, etc.) and config paths (OPENCLAW_CAPTURE_LEGACY_PROJECT_ROOT). The registry metadata incorrectly lists 'Required env vars: none' which under-represents required secrets and configuration. The number and sensitivity of env vars is proportionate to the stated functionality, but the metadata mismatch and lack of explicit required-secret declaration is a red flag.
always:false (no forced global inclusion). The skill writes state and artifacts under its state_dir (default: skill_root/.state) and the legacy workflow may write into the user's Obsidian vault or other legacy paths; it also imports and executes code from a local checkout. These are expected for a capture/archiving tool but are persistent filesystem effects and should be considered when granting the skill access.
Guidance
Key points to consider before installing/using this skill: - Metadata mismatch: The registry lists no required env vars, but SKILL.md and the code require several sensitive environment variables (model API key, Telegram bot token, Feishu webhook) and may read legacy config files. Treat the SKILL.md as authoritative and do not assume the registry metadata is complete. - Secrets and network calls: The skill will send data to external endpoints (model API base, Telegram API, Feishu webhook). Only provide API keys and tokens you trust the code to use. If you cannot review the receiving endpoints (for example aiHubMix), do not set the keys. - Local code import and execution: In library mode the skill inserts your legacy project's src onto PYTHONPATH and imports openclaw_capture_workflow — that import executes code from the local repo. Only enable library mode if you trust the local repository contents. Review the local repo before use. - Subprocess execution: If you set OPENCLAW_CAPTURE_LOCAL_STT_COMMAND, the skill will format and run that command (via shlex.split and subprocess.run). Avoid putting untrusted templated shell constructs in that variable; it can execute arbitrary commands. - Filesystem writes: The skill creates state and artifact directories and (via the legacy workflow) may write notes into an Obsidian vault or other local paths. Ensure state_dir and vault paths are acceptable and isolated if needed. - Mitigations: run in an isolated environment (container or dedicated account), review the bundled scripts and any local openclaw_capture_workflow checkout, avoid exposing high-privilege credentials, and prefer HTTP backend mode to isolate execution from importing local code if you cannot audit the local repo. If you want, I can (1) point out the exact lines that read/write files or make network calls, (2) list all environment variables the code actually reads, or (3) summarize the security implications of running in library vs http backend mode.
Latest Release
v0.1.0
Initial publish of the OpenClaw capture wrapper skill.
More by @etherstrings
Published by @etherstrings on ClawHub
