功能描述

Request expert help by submitting queries to the HeySummon platform, which routes them to registered human providers for assistance.

使用说明 (SKILL.md)

HeySummon Consumer Skill

Name: Hey summon
Author: thomasansems

When you (an AI agent) get stuck, request help from a human expert via HeySummon.

When someone requests help, the skill submits a request to the HeySummon platform. The platform matches it to a registered provider (human expert) who can assist. Users can say "Hey summon John Doe to help" or "Hey summon a Python expert to help". The skill then routes the request to the appropriate provider based on the registered providers in providers.json.

Setup

Step 1: Configure Environment

Create .env in the skill directory with your HeySummon platform details:

HEYSUMMON_BASE_URL=http://localhost:3445
HEYSUMMON_API_KEY=hs_cli_your_key_here
HEYSUMMON_NOTIFY_MODE=message
HEYSUMMON_NOTIFY_TARGET=your_chat_id

Platform Options:

Self-hosted: Use your local/server URL (e.g., http://localhost:3445)
Cloud: Use https://cloud.heysummon.ai

Get API Key:

Go to your HeySummon dashboard
Navigate to Users → Create user profile (or ask provider for client key)
Create a client key (starts with hs_cli_...)

⚠️ Security: API keys starting with hs_prov_ are provider keys (not client keys). These will be rejected.

Step 2: Register Provider(s)

bash scripts/add-provider.sh "hs_cli_your_key" "FriendlyName"

This fetches provider info from the platform and stores it locally. You can register multiple providers for routing.

List registered providers:

bash scripts/list-providers.sh

Step 3: Start Event Watcher

bash scripts/setup.sh

This starts a persistent SSE listener that connects to the platform's event stream (/api/v1/events/stream). You'll receive notifications when providers respond.

To stop:

bash scripts/teardown.sh

Architecture

HeySummon Platform API (/api/v1/events/stream)
           ↓
    SSE Event Stream
           ↓
   Platform Watcher (pm2)
           ↓
   OpenClaw Notification
           ↓
        Your Chat

All communication flows through the platform API. E2E encryption is handled server-side.

Scripts

Script	Purpose
`setup.sh`	Start the platform event watcher (pm2/nohup)
`teardown.sh`	Stop the watcher
`platform-watcher.sh`	SSE listener → sends notifications via OpenClaw
`submit-request.sh`	Submit a help request
`add-provider.sh`	Register a provider
`list-providers.sh`	List registered providers
`check-status.sh`	Check request status
`crypto.mjs`	E2E encryption: keygen, encrypt, decrypt
`auto-sync.sh`	Git auto-sync (cron job)

Usage

Submit a Help Request

To a specific provider:

bash scripts/submit-request.sh "Your question" '[{"role":"user","content":"context"}]' "ProviderName"

To default provider (from .env):

bash scripts/submit-request.sh "Your question" '[{"role":"user","content":"context"}]'

Provider routing: The script matches provider names case-insensitively from providers.json. If no match is found, it shows available providers and exits.

Wait for Response

The platform watcher handles real-time notifications:

🔑 Key exchange — provider connected
📩 New message — provider responded
🔒 Closed — conversation ended

Check Status (Fallback)

bash scripts/check-status.sh \x3CREQUEST_ID>

When to Use

Use HeySummon when you are truly stuck:

Ambiguous requirements needing clarification
Domain expertise required
Blocked by something you can't resolve autonomously

Request Statuses

Status	Meaning
`pending`	Waiting for provider to accept
`active`	Key exchange done — conversation in progress
`closed`	Closed by either party
`expired`	No response within 72 hours

Environment Variables

Variable	Default	Description
`HEYSUMMON_BASE_URL`	`http://localhost:3445`	Platform API URL
`HEYSUMMON_API_KEY`	(required)	Client API key (`hs_cli_...`)
`HEYSUMMON_NOTIFY_MODE`	`message`	Notification mode: `message` or `file`
`HEYSUMMON_NOTIFY_TARGET`	(required for message mode)	Chat ID for notifications
`HEYSUMMON_KEY_DIR`	`{skill}/.keys`	Directory for encryption keypairs
`HEYSUMMON_REQUESTS_DIR`	`{skill}/.requests`	Directory for active request tracking
`HEYSUMMON_PROVIDERS_FILE`	`{skill}/providers.json`	Provider registry file

Security

✅ API keys stored in .env (gitignored)
✅ Keypairs stored in .keys/ (gitignored)
✅ Providers stored in providers.json (gitignored)
✅ All paths relative to skill directory
✅ E2E encryption handled by platform
✅ No hardcoded credentials in code

Never commit:

.env
providers.json
.keys/ directory
.requests/ directory

安全使用建议

This skill appears to do what it claims (send requests to HeySummon) but contains several behaviours you should review before installing: - Registry metadata omits required credentials: the scripts and SKILL.md expect HEYSUMMON_API_KEY, HEYSUMMON_NOTIFY_TARGET and path variables, but the published requirements list none. Treat that as a red flag. - The platform-watcher reads your OpenClaw gateway token from ~/.openclaw/openclaw.json and uses it to call the local OpenClaw tools endpoint. That token is sensitive and belongs to another subsystem; confirm you are comfortable granting the skill that access and prefer an explicit env var if possible. - Providers' client API keys are written to providers.json and keypairs to .keys; ensure those files are gitignored and permissioned (chmod 600/700). Note the included auto-sync.sh will run git add -A; if you run it (or cron-enable it) it can accidentally commit and push secrets if .gitignore is misconfigured — disable or remove auto-sync unless you audited the repo's ignores. - The watcher runs persistently (pm2/nohup). If you don't want long-running background processes, do not run setup.sh and instead invoke submit-request manually. Inspect platform-watcher.sh to ensure it behaves as you expect. - If you plan to install: audit .env/.gitignore, remove or disable auto-sync.sh, consider replacing the implicit home-directory token lookup with an explicit HEYSUMMON_OPENCLAW_TOKEN env var, and run the watcher in a sandbox or limited-account environment first. If you do not trust the HeySummon platform or the provider keys you're registering, do not run the skill. Overall: coherent functionality but several un-declared and sensitive local accesses — proceed only after auditing and adjusting the scripts to match your security requirements.

功能分析

Type: OpenClaw Skill Name: heysummon Version: 0.1.0-beta The skill is classified as suspicious due to its use of powerful system commands and access to sensitive local resources, even though these actions are largely justified by its stated purpose. Key indicators include `platform-watcher.sh` reading the OpenClaw gateway token from `~/.openclaw/openclaw.json` (though used for local communication), `curl` calls to external endpoints with API keys, and `auto-sync.sh` performing `git add`, `git commit`, and `git push origin main`. While these are documented features, they represent significant capabilities that could be leveraged for malicious purposes if the external platform or the skill's repository were compromised, or if the `node -e` JSON parsing were vulnerable to injection.

能力评估

⚠ Purpose & Capability

The skill's name/description (submit queries to HeySummon) matches the scripts' purpose (submit-request, platform watcher, provider registration). However the published registry metadata declares no required environment variables or credentials while the SKILL.md and scripts clearly require HEYSUMMON_API_KEY, HEYSUMMON_NOTIFY_TARGET, HEYSUMMON_* path variables and implicitly read an OpenClaw gateway token from the user's home (~/.openclaw/openclaw.json). The missing declared requirements are an incoherence and should have been declared in the registry metadata.

⚠ Instruction Scope

The runtime instructions and scripts do more than just call the HeySummon API: the platform-watcher reads the OpenClaw gateway token from ~/.openclaw/openclaw.json and uses it to call the local OpenClaw tools/invoke endpoint; submit-request and add-provider store client API keys in providers.json; crypto keypairs are generated and stored under .keys; platform-watcher creates a persistent SSE listener (pm2/nohup). These actions access and persist sensitive local config and create persistent processes that are not obvious from minimal description text. The watcher also fetches message bodies from the platform and will attempt to decrypt/display them — all of which are within the skill's purpose but expand the runtime access surface significantly.

ℹ Install Mechanism

There is no install spec (instruction-only), so no external downloads or archive extraction are performed by an installer. That lowers supply-chain risk. However included helper scripts (auto-sync.sh) will auto-commit and push all repo changes to origin/main if run (a non-trivial action). The skill also expects Node, curl, jq, pm2 which are standard but not declared in registry metadata. No remote binary download URLs are present.

⚠ Credentials

The skill legitimately needs a HeySummon client API key (HEYSUMMON_API_KEY) and notify-target settings, but it also reads the OpenClaw gateway token directly from the user's home directory (not declared as a required env). It stores provider client keys in providers.json and keypairs in .keys. The auto-sync script can push whatever is in the repo (potentially including misconfigured .env or providers.json) to GitHub. Requesting and reading the OpenClaw gateway token (an unrelated platform credential) is disproportionate to a simple 'submit request' description and should be explicit and optional.

⚠ Persistence & Privilege

The skill spawns a persistent background watcher (pm2 or nohup) that runs continuously and writes state to .requests, .keys, .seen-events.txt and may be auto-started by submit-request. It does not use always:true in metadata, but it does install a long-running local component and can auto-start itself. Combined with the credential access and local file writes, this persistent presence materially increases blast radius if the skill or its config are compromised.

版本历史

v0.1.0-beta

HeySummon Consumer Skill v1.0.0 - Initial release of the HeySummon consumer skill. - Enables AI agents to request help from human experts via the HeySummon platform. - Supports provider registration, real-time event notifications, and secure E2E communication. - Includes utility scripts for submitting requests, managing providers, and monitoring status. - Comprehensive setup and usage instructions provided in SKILL.md.

元数据

Slug heysummon

版本 0.1.0-beta

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题

Hey summon 是什么？

Request expert help by submitting queries to the HeySummon platform, which routes them to registered human providers for assistance. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 378 次。

如何安装 Hey summon？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install heysummon」即可一键安装，无需额外配置。

Hey summon 是免费的吗？

是的，Hey summon 完全免费（开源免费），可自由下载、安装和使用。

Hey summon 支持哪些平台？

Hey summon 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Hey summon？

由 thomasansems（@thomasansems）开发并维护，当前版本 v0.1.0-beta。

Hey summon