← 返回 Skills 市场
charlielila

Privacy Concierge

作者 charlielila · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
498
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install privacy-concierge
功能描述
Personal AI assistant that monitors your online privacy, calculates exposure scores, automates data broker opt-outs, tracks breaches, and offers privacy advice.
安全使用建议
Do not install or provide secrets yet. Ask the publisher for clarification and fixes first: 1) Explain why the registry metadata lists no env vars while SKILL.md requires GROQ_API_KEY, SUPABASE_URL/SUPABASE_ANON_KEY, and TELEGRAM_BOT_TOKEN; update registry metadata to match. 2) Remove or restrict tools/read.js (or replace it with a limited-purpose API) — a generic file-read helper can be used to access local secrets and is unnecessary for the described features. 3) Clarify which Supabase key is required; for deletions/DSARs a service-role key is more likely needed (and is sensitive); prefer least privilege and explicit guidance on key scope. 4) Explain how email sending is implemented and which credentials are required (SMTP/API keys) and update SKILL.md. 5) Ask for the upstream source or homepage and a code audit; run the skill in a sandbox with monitored network access before giving it real credentials. If you must try it, create dedicated, limited-permission test credentials (test Supabase project, Telegram bot scoped to a test chat, and a throwaway LLM key) and do not reuse any production secrets.
功能分析
Type: OpenClaw Skill Name: privacy-concierge Version: 1.0.0 The skill bundle contains a critical vulnerability in `tools/read.js`. This file exposes a `readFile` function that directly uses `params.path` in `fs.readFileSync`, allowing the AI agent to read arbitrary files on the system. This lack of input sanitization or access control makes the agent highly susceptible to prompt injection attacks, potentially leading to sensitive information disclosure (e.g., credentials, private keys) or further system compromise, despite the stated benign purpose in `SKILL.md` and other documentation.
能力评估
Purpose & Capability
The SKILL.md claims Supabase storage, Telegram messaging, LLM inference, and email sending and lists GROQ_API_KEY, SUPABASE_URL & SUPABASE_ANON_KEY, and TELEGRAM_BOT_TOKEN as required. The registry metadata, however, declares no required environment variables — this mismatch is a red flag. Also config.json includes a default local LLM (llama-3.3-70b-versatile) while SKILL.md asks for a GROQ_API_KEY for inference, which is inconsistent. Requesting a SUPABASE_ANON_KEY for a component that performs writes/DSARs may be insufficient or inappropriate (writes usually require a privileged key). Overall some requested capabilities make sense for the described functionality (Supabase for memory, Telegram for alerts), but the declared requirements and runtime assumptions do not align.
Instruction Scope
SKILL.md describes web search, Supabase read/write, and email opt-outs and states data stays only in Supabase. It does not describe reading local filesystem data. Yet the bundle contains tools/read.js — a generic file-read helper that can synchronously read arbitrary files by path. That capability is not documented and could be used to access local secrets or sensitive files. SKILL.md also mentions 'email sending' but does not declare any SMTP or email-provider credentials needed. Proactive unprompted messaging (cron/webhooks) is also described but not operationally constrained.
Install Mechanism
This is instruction-only with no install spec, which is lower-risk in that nothing is downloaded during install. However the skill includes a code file (tools/read.js) that will run inside the agent environment when invoked; any included code will execute at runtime even without an install step. There is no third-party package download or obscure URL involved.
Credentials
SKILL.md requests GROQ_API_KEY, SUPABASE_URL & SUPABASE_ANON_KEY, and TELEGRAM_BOT_TOKEN — these map to LLM inference, storage, and messaging and are plausible. However: (1) the registry metadata lists no required env vars (incoherent); (2) SUPABASE_ANON_KEY is typically a low-privilege key and may not be appropriate for write/delete operations (DSARs/opt-outs could require a service role key); (3) GROQ_API_KEY conflicts with the local default_model in config.json; and (4) email-sending is described but no SMTP/API keys are requested, suggesting an undocumented external dependency. The presence of a generic file reader increases the risk that environment secrets or local credentials could be accessed if the skill is misused.
Persistence & Privilege
always is false (no forced persistent inclusion), and disable-model-invocation is false (normal autonomous invocation allowed). The skill states it can proactively message users (cron/webhooks). Autonomous invocation combined with messaging and access to external services (Supabase/Telegram) increases blast radius if the skill misbehaves, but on its own this is an expected capability for this type of assistant.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install privacy-concierge
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /privacy-concierge 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of Privacy Concierge ("Guardian") skill for OpenClaw. - Calculates real-time privacy scores based on user data exposures. - Automates opt-out requests to 300+ data brokers and provides DSAR request tracking. - Performs daily scans for new data appearances or breaches. - Offers personalized privacy advice for social media and ad tracking. - Supports persistent user memory via Supabase. - Sends instant alerts for high-risk privacy events. - Provides conversational, source-backed answers to privacy-related questions.
元数据
Slug privacy-concierge
版本 1.0.0
许可证
累计安装 1
当前安装数 1
历史版本数 1
常见问题

Privacy Concierge 是什么?

Personal AI assistant that monitors your online privacy, calculates exposure scores, automates data broker opt-outs, tracks breaches, and offers privacy advice. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 498 次。

如何安装 Privacy Concierge?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install privacy-concierge」即可一键安装,无需额外配置。

Privacy Concierge 是免费的吗?

是的,Privacy Concierge 完全免费(开源免费),可自由下载、安装和使用。

Privacy Concierge 支持哪些平台?

Privacy Concierge 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Privacy Concierge?

由 charlielila(@charlielila)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论