← Back to Skills Marketplace
charlielila

Privacy Concierge

by charlielila · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
498
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install privacy-concierge
Description
Personal AI assistant that monitors your online privacy, calculates exposure scores, automates data broker opt-outs, tracks breaches, and offers privacy advice.
Usage Guidance
Do not install or provide secrets yet. Ask the publisher for clarification and fixes first: 1) Explain why the registry metadata lists no env vars while SKILL.md requires GROQ_API_KEY, SUPABASE_URL/SUPABASE_ANON_KEY, and TELEGRAM_BOT_TOKEN; update registry metadata to match. 2) Remove or restrict tools/read.js (or replace it with a limited-purpose API) — a generic file-read helper can be used to access local secrets and is unnecessary for the described features. 3) Clarify which Supabase key is required; for deletions/DSARs a service-role key is more likely needed (and is sensitive); prefer least privilege and explicit guidance on key scope. 4) Explain how email sending is implemented and which credentials are required (SMTP/API keys) and update SKILL.md. 5) Ask for the upstream source or homepage and a code audit; run the skill in a sandbox with monitored network access before giving it real credentials. If you must try it, create dedicated, limited-permission test credentials (test Supabase project, Telegram bot scoped to a test chat, and a throwaway LLM key) and do not reuse any production secrets.
Capability Analysis
Type: OpenClaw Skill Name: privacy-concierge Version: 1.0.0 The skill bundle contains a critical vulnerability in `tools/read.js`. This file exposes a `readFile` function that directly uses `params.path` in `fs.readFileSync`, allowing the AI agent to read arbitrary files on the system. This lack of input sanitization or access control makes the agent highly susceptible to prompt injection attacks, potentially leading to sensitive information disclosure (e.g., credentials, private keys) or further system compromise, despite the stated benign purpose in `SKILL.md` and other documentation.
Capability Assessment
Purpose & Capability
The SKILL.md claims Supabase storage, Telegram messaging, LLM inference, and email sending and lists GROQ_API_KEY, SUPABASE_URL & SUPABASE_ANON_KEY, and TELEGRAM_BOT_TOKEN as required. The registry metadata, however, declares no required environment variables — this mismatch is a red flag. Also config.json includes a default local LLM (llama-3.3-70b-versatile) while SKILL.md asks for a GROQ_API_KEY for inference, which is inconsistent. Requesting a SUPABASE_ANON_KEY for a component that performs writes/DSARs may be insufficient or inappropriate (writes usually require a privileged key). Overall some requested capabilities make sense for the described functionality (Supabase for memory, Telegram for alerts), but the declared requirements and runtime assumptions do not align.
Instruction Scope
SKILL.md describes web search, Supabase read/write, and email opt-outs and states data stays only in Supabase. It does not describe reading local filesystem data. Yet the bundle contains tools/read.js — a generic file-read helper that can synchronously read arbitrary files by path. That capability is not documented and could be used to access local secrets or sensitive files. SKILL.md also mentions 'email sending' but does not declare any SMTP or email-provider credentials needed. Proactive unprompted messaging (cron/webhooks) is also described but not operationally constrained.
Install Mechanism
This is instruction-only with no install spec, which is lower-risk in that nothing is downloaded during install. However the skill includes a code file (tools/read.js) that will run inside the agent environment when invoked; any included code will execute at runtime even without an install step. There is no third-party package download or obscure URL involved.
Credentials
SKILL.md requests GROQ_API_KEY, SUPABASE_URL & SUPABASE_ANON_KEY, and TELEGRAM_BOT_TOKEN — these map to LLM inference, storage, and messaging and are plausible. However: (1) the registry metadata lists no required env vars (incoherent); (2) SUPABASE_ANON_KEY is typically a low-privilege key and may not be appropriate for write/delete operations (DSARs/opt-outs could require a service role key); (3) GROQ_API_KEY conflicts with the local default_model in config.json; and (4) email-sending is described but no SMTP/API keys are requested, suggesting an undocumented external dependency. The presence of a generic file reader increases the risk that environment secrets or local credentials could be accessed if the skill is misused.
Persistence & Privilege
always is false (no forced persistent inclusion), and disable-model-invocation is false (normal autonomous invocation allowed). The skill states it can proactively message users (cron/webhooks). Autonomous invocation combined with messaging and access to external services (Supabase/Telegram) increases blast radius if the skill misbehaves, but on its own this is an expected capability for this type of assistant.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install privacy-concierge
  3. After installation, invoke the skill by name or use /privacy-concierge
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of Privacy Concierge ("Guardian") skill for OpenClaw. - Calculates real-time privacy scores based on user data exposures. - Automates opt-out requests to 300+ data brokers and provides DSAR request tracking. - Performs daily scans for new data appearances or breaches. - Offers personalized privacy advice for social media and ad tracking. - Supports persistent user memory via Supabase. - Sends instant alerts for high-risk privacy events. - Provides conversational, source-backed answers to privacy-related questions.
Metadata
Slug privacy-concierge
Version 1.0.0
License
All-time Installs 1
Active Installs 1
Total Versions 1
Frequently Asked Questions

What is Privacy Concierge?

Personal AI assistant that monitors your online privacy, calculates exposure scores, automates data broker opt-outs, tracks breaches, and offers privacy advice. It is an AI Agent Skill for Claude Code / OpenClaw, with 498 downloads so far.

How do I install Privacy Concierge?

Run "/install privacy-concierge" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Privacy Concierge free?

Yes, Privacy Concierge is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Privacy Concierge support?

Privacy Concierge is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Privacy Concierge?

It is built and maintained by charlielila (@charlielila); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments