← Back to Skills Marketplace
372
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install sm-saver
Description
Save and digest resources from social media posts (X/Twitter, LinkedIn) or any URL. Use when the user shares a tweet URL, a LinkedIn post, or any link they w...
Usage Guidance
This skill mostly does what it says (extracts links, fetches them, summarizes, and appends to a resources.md file), but before installing or running it consider: 1) Confirm the host environment has the expected tools: xurl, python3, and whatever 'summarize' CLI is intended — ask the skill author which 'summarize' binary/service is required. 2) Be aware the skill will fetch arbitrary URLs you supply (or that someone supplies) and could contact internal network addresses — avoid giving it untrusted or internal links, or run it in a sandbox. 3) It will write to ~/workspace/resources.md; ensure you’re comfortable with automated writes to that path. 4) Verify the provenance/trustworthiness of xurl and the summarizer (is summarization done locally or by a remote API that could receive fetched content?). If you need stronger assurance, request the skill author to: declare python3 and summarize in requires.bins, document the summarize implementation, limit or validate which URLs are fetched, and make the output file path configurable instead of hardcoded.
Capability Analysis
Type: OpenClaw Skill
Name: sm-saver
Version: 0.0.0-pr-check
The skill bundle contains a significant command injection vulnerability in SKILL.md. It instructs the agent to execute shell commands and a Python one-liner where user-provided URLs are directly interpolated into the execution string (e.g., `summarize "<url>"` and `urllib.request.Request('<url>', ...)`). While the stated purpose of saving social media resources is plausible, the lack of input sanitization in these `exec` calls allows a crafted URL to execute arbitrary code on the host system. No evidence of intentional malice or data exfiltration was found, but the implementation is highly insecure.
Capability Assessment
Purpose & Capability
The skill name and description match the actions in SKILL.md (extract tweet/LinkedIn content, fetch linked URLs, summarize, append to a resource log). Declaring xurl as a required binary is appropriate for Twitter/X extraction. However the instructions rely on a 'summarize' CLI (used first) and on python3 for a fallback without declaring them as required binaries. Also the skill will write to ~/workspace/resources.md — reasonable for a saver but not declared in metadata as a config path.
Instruction Scope
Instructions tell the agent to fetch arbitrary URLs (via 'summarize' or a python3 fallback that performs HTTP requests) and to append results to ~/workspace/resources.md. Fetching arbitrary URLs is central to the purpose but carries SSRF/side-channel risk (internal endpoints could be contacted if a user or adversary supplies internal URLs). The agent is explicitly instructed to run arbitrary shell commands (exec tool) using user-supplied URLs; the 'summarize' command is underspecified, so it could be local or call remote services. The file write is explicit and will modify user workspace files — this should be visible to the user and authorized.
Install Mechanism
There is no install spec and no code files — instruction-only — so nothing will be written to disk by an installer. This is the lower-risk model for skill distribution.
Credentials
The skill requests no credentials or environment variables, which aligns with its stated purpose. However it omits declaring python3 and the 'summarize' CLI as required binaries, which is an inconsistency (the fallback uses python3; the primary summarizer is unspecified). No secrets are requested, which is good.
Persistence & Privilege
always is false and the skill does not request special platform privileges. It will, if invoked, write to ~/workspace/resources.md (its own artifact) but it does not ask to persist credentials or modify other skills/configs.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install sm-saver - After installation, invoke the skill by name or use
/sm-saver - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.0.0-pr-check
Slug availability check
Metadata
Frequently Asked Questions
What is Sm Saver?
Save and digest resources from social media posts (X/Twitter, LinkedIn) or any URL. Use when the user shares a tweet URL, a LinkedIn post, or any link they w... It is an AI Agent Skill for Claude Code / OpenClaw, with 372 downloads so far.
How do I install Sm Saver?
Run "/install sm-saver" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Sm Saver free?
Yes, Sm Saver is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Sm Saver support?
Sm Saver is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Sm Saver?
It is built and maintained by 𝑠𝑝𝑖𝑑𝑒𝑦 (@spideystreet); the current version is v0.0.0-pr-check.
More Skills