← Back to Skills Marketplace
123
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install skill-c-fetch-minutes
Description
【会后纪要抓取与issue草稿生成】每10分钟由 OpenClaw cron 触发一次。负责在会议结束后从腾讯会议拉取转录与AI智能纪要,由 OpenClaw 做两阶段issue抽取,生成 draft_issue.md 等四个文件并提交到 Gitea,最后通知组织者审核。不处理会议创建、会前简报、issue落地等场景。
Usage Guidance
Before installing or enabling this skill:
- Note the manifest/registry declares no required env vars, but the code and setup script require a config file at ~/.config/skill-c-fetch-minutes/.env and the variables GITEA_BASE_URL, GITEA_TOKEN_BOT, and AIFUSION_META_REPO. Do not provide credentials until you confirm these requirements.
- The GITEA_TOKEN_BOT grants repository and meta-repo access (read/write). Use a dedicated bot account with the minimum necessary scopes (only the specific repos and meta-repo), not a personal or org-wide admin token.
- The env-example contains an IP address (43.156.243.152:3000). Verify the intended Gitea host and do not point credentials to unknown hosts.
- setup.sh will run pip install -r requirements.txt (uses --break-system-packages). Run setup inside an isolated environment (virtualenv, container) rather than on your system Python to avoid system-wide changes.
- Review the code paths that call the Gitea API (gitea_utils.py, log_utils.py, commit_content.py, scan.py) to ensure behaviour and targets are acceptable (which repos will be enumerated via /repos/search and what the token can access).
- If you want to proceed, consider: create a least-privilege bot token limited to specific repos and meta repo; run the skill in an isolated environment; and test against a staging Gitea instance first.
If you want, I can list the exact lines where the code reads env vars and calls Gitea APIs and suggest minimal token scopes to grant.
Capability Analysis
Type: OpenClaw Skill
Name: skill-c-fetch-minutes
Version: 1.0.2
The skill bundle automates meeting minutes processing but contains a significant security vulnerability in `scripts/commit_content.py`. The script accepts arbitrary file paths via command-line arguments (e.g., `--transcript-file`) and uploads their contents to Gitea without path sanitization or directory restricted validation. This creates a risk of arbitrary file exfiltration; if the AI agent is manipulated via prompt injection to provide paths to sensitive local files (such as `~/.ssh/id_rsa` or `.env` files), the script will read and upload them to the Gitea repository. While the behavior aligns with the stated purpose, the lack of input validation on file operations is a high-risk flaw.
Capability Assessment
Purpose & Capability
The skill's name/description describe a cron-driven post-meeting flow that pulls transcripts (via a separate tencent-meeting-skill), runs AI extraction in OpenClaw, and commits files to Gitea. The included code implements Gitea scanning, status updates, file upsert, and logging—which matches the described purpose. However the registry metadata declared no required env vars/config paths while the code and SKILL.md require a config file at ~/.config/skill-c-fetch-minutes/.env and Gitea-related environment variables. That mismatch between declared requirements and real requirements is an incoherence worth noting.
Instruction Scope
The SKILL.md instructions and scripts are scoped to scanning Gitea repos, updating meeting statuses, writing files to Gitea, and producing email payloads. The skill does not itself call Tencent Meeting APIs (it delegates that to another skill) and it does not attempt to read arbitrary unrelated files. It does read ~/.config/skill-c-fetch-minutes/.env for configuration (declared in SKILL.md), which is appropriate for its operation.
Install Mechanism
There is no formal install spec in the registry, but the bundle includes a setup.sh that runs pip install -r requirements.txt (PyPI packages). This is a common install path but means code will install Python packages on the host. setup.sh uses pip with --break-system-packages which can be intrusive on some systems; there are no downloads from unknown URLs or archives in the manifest.
Credentials
The registry metadata lists no required environment variables or config paths, yet the code and setup script require and use GITEA_BASE_URL, GITEA_TOKEN_BOT, and AIFUSION_META_REPO (via ~/.config/skill-c-fetch-minutes/.env). Those are sensitive: the Gitea token is used for repository search, reading and writing files, and writing logs into the meta repo. The skill will therefore need a token with read/write access to managed repos and the meta repo; that privilege should be minimised and explicitly requested in metadata. Also env-example contains an IP-based Gitea endpoint (43.156.243.152:3000) — it's only an example but you should confirm the intended host before providing credentials.
Persistence & Privilege
The skill is not marked always:true. It does modify repositories and write logs to a meta repo (expected for its purpose). It does not attempt to modify other skills' configs. However because it writes to repositories and the meta log, the Gitea token should be scoped to the minimum necessary privileges; this is a privilege consideration rather than an incoherence.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install skill-c-fetch-minutes - After installation, invoke the skill by name or use
/skill-c-fetch-minutes - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
- Adds a mandatory 20-minute grace period after meeting end before post-processing starts; only meetings ended for over 20 minutes are processed.
- `scan` now includes a `ready_for_postprocess` flag and only returns eligible meetings; `set-waiting` requires this condition and returns `skipped=true` if not met.
- B and C class meeting scanning fields enhanced (`meeting_end_time`, `ready_after_time`, etc.) for improved timing and retry logic.
- Workflow and error handling updated: meetings not past the 20-minute waiting window are skipped until eligible, ensuring accurate status transitions.
- No code or file logic changes; documentation and workflow are aligned for stricter, safer meeting post-processing.
v1.0.1
- Now supports processing meetings in both `scheduled` and `brief-sent` states after meeting ends, ensuring the workflow continues even if the pre-brief is skipped.
- Enhanced `scan` and `set-waiting`: add compatibility for `scheduled` status, not just `brief-sent`.
- Improved robustness to handle late-started meetings—A类 (class_a) now includes both `scheduled` and `brief-sent` meetings.
- Updated documentation with key compatibility logic and clearer instructions about supported meeting statuses.
v1.0.0
skill-c-fetch-minutes v1.0.0
- Initial release.
- Automates post-meeting transcript fetching from Tencent Meeting and AI summary retrieval.
- Runs every 10 minutes, managing meeting status transitions and error handling.
- Performs two-stage AI extraction to generate and commit four key files (transcript.md, ai_summary.md, minutes.md, draft_issue.md) to Gitea.
- Sends notification emails to organizers for review or manual transcript upload if needed.
- Excludes meeting creation, pre-meeting briefs, and direct issue creation.
Metadata
Frequently Asked Questions
What is skill-c-fetch-minutes?
【会后纪要抓取与issue草稿生成】每10分钟由 OpenClaw cron 触发一次。负责在会议结束后从腾讯会议拉取转录与AI智能纪要,由 OpenClaw 做两阶段issue抽取,生成 draft_issue.md 等四个文件并提交到 Gitea,最后通知组织者审核。不处理会议创建、会前简报、issue落地等场景。 It is an AI Agent Skill for Claude Code / OpenClaw, with 123 downloads so far.
How do I install skill-c-fetch-minutes?
Run "/install skill-c-fetch-minutes" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is skill-c-fetch-minutes free?
Yes, skill-c-fetch-minutes is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does skill-c-fetch-minutes support?
skill-c-fetch-minutes is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created skill-c-fetch-minutes?
It is built and maintained by myd2002 (@myd2002); the current version is v1.0.2.
More Skills