by 安全扫描
OpenClaw
可疑
medium confidence该技能的代码大体符合其声明的短期多通道记忆用途,但存在不一致及隐私风险(硬编码本地路径、未声明的文件访问、默认家庭共享行为),安装前需审查。
评估建议
Before installing or enabling this skill, review and adjust the code and integration settings: 1) Inspect session_hook.py and session_hook_lite.py and remove or change hard-coded absolute paths (they point to a developer's home). 2) Confirm where memory files will be stored (default 'memory/' vs absolute paths) and ensure they don't contain secrets you don't want injected into prompts. 3) Audit the family-group sharing logic — by default it includes other members' recent messages; enable/require...详细分析 ▾
ℹ 用途与能力
The name/description (multi-channel short-term memory) aligns with the included code (ChannelActivity, ShortTermMemory, CompleteContext). Features like TTL, summarization, cross-channel query and upgrade-to-long-term are implemented. However the code adds features not declared in metadata (family group sharing / automatic inclusion of other identities' entries) and the session hook files reference absolute developer workspace paths — these extend scope beyond what's documented in requires/config and are unexpected.
⚠ 指令范围
SKILL.md and INTEGRATION.md instruct adding a session hook so the agent can inject temporary-memory summaries before replies. The provided session_hook.py and session_hook_lite.py perform local file reads (memory JSON and MEMORY.md) and call ChannelActivity.get_context_summary. session_hook files hard-code sys.path insertions and in session_hook_lite a default memory_path points to an absolute developer path (/Users/kunpeng.zhu/.openclaw/workspace/MEMORY.md). The instructions do not disclose these file-path accesses or privacy implications (e.g., pulling full MEMORY.md into prompts).
✓ 安装机制
There is no external install spec (no downloads), so nothing is pulled from remote URLs. The skill is instruction/code-only and writes/reads local files under 'memory/' by default — expected for a local cache-based memory skill. Risk from install mechanism is low, but the package does include multiple Python modules that will be executed when invoked.
⚠ 凭证需求
The registry declares no required env vars or config paths, yet the code reads/writes local files (memory/channel-activity.json, memory/short-term-cache.json) and session_hook_lite defaults to an absolute MEMORY.md path in a developer home. The skill also includes a family-group sharing feature that by default will include other members' recent messages in summaries (ai_decision default True). These behaviors access and expose local persisted data and other users' entries without any declared config or explicit permission mechanism.
⚠ 持久化与权限
The skill is not marked always:true, but integration docs explicitly recommend adding session_hook to the agent's session flow so it runs automatically before replies. Combined with the family-sharing behavior and the code reading MEMORY.md, automatic invocation increases privacy/exfiltration risk because the agent could inject local and long-term memory contents into prompts without explicit per-call filtering. Also the session_hook files' hard-coded paths suggest the code may attempt to access unexpected filesystem locations.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv3.0.02026/3/8
channel-activity-yanyue 3.0.0 主要更新: - 版本号升至 3.0.0,体现内部重大变更。 - 四个文件中的代码与配置同步更新。 - 公开 API、使用说明及 SKILL.md 文档保持不变。
● 无害
安装命令
点击复制官方npx clawhub@latest install channel-activity-yanyue
镜像加速npx clawhub@latest install channel-activity-yanyue --registry https://cn.longxiaskill.com
技能文档
记录并查询不同通道的活动,30 分钟 TTL。
安装
``bash
npx clawhub@latest install channel-activity
` 用法
`python
from channel_activity import ChannelActivity
ca = ChannelActivity()
ca.record("feishu", "Task request")
summary = ca.get_context_summary(channel="qq")
`` 功能
- 多通道支持(Feishu、QQ 等)
- 30 分钟 TTL,自动清理
- 智能摘要(每条 50 字符)
- 跨通道查询