← 返回 Skills 市场

SecondMind

Name: SecondMind
Author: emphaiser

作者 Emphaiser · GitHub ↗ · v1.4.0

cross-platform ⚠ suspicious

1172

总下载

当前安装

版本数

在 OpenClaw 中安装

/install secondmind

功能描述

Autonomous three-tier memory with proactive initiative, project tracking, and social intelligence. Ingests OpenClaw conversations, extracts knowledge + emoti...

安全使用建议

SecondMind appears to do exactly what it claims: it reads your OpenClaw session JSONL files, stores local SQLite records, calls OpenRouter for LLM operations, and can notify via Telegram/Discord. Before installing, consider the following: - Review the code and config.json yourself (or in a sandbox) before running setup.js. The repository will create a local data directory (data/secondmind.db) and install cron/Task Scheduler jobs that run every 30 minutes / 6 hours / daily — check and approve those changes. - Keep your OpenRouter API key and Telegram bot token private. The skill asks you to add the OpenRouter key into config.json (or to provide it via an agent prompt); only provide the key if you trust the environment and accept potential API usage/billing. - The skill will capture session contents (including active sessions) during its flush/ingest flows; if you have sensitive conversation content, review what gets stored and where (data/). - Cron jobs and the standalone bot will generate periodic outbound network traffic (OpenRouter API + optional Telegram/Discord). Expect small, recurring API usage and costs; choose model settings carefully. - If you are uncomfortable with persistent background jobs, run the scripts manually for testing (node scripts/status.js, ingest.js, consolidate.js, initiative.js) instead of installing cron/schtasks. Minor metadata note: registry metadata said “no install spec” while SKILL.md includes an npm install step — that mismatch likely reflects metadata staleness but you should verify the install steps prior to running them.

功能分析

Type: OpenClaw Skill Name: secondmind Version: 1.4.0 The skill is classified as suspicious due to significant shell injection vulnerabilities (RCE risk) present in the `SKILL.md` instructions. The AI agent is explicitly instructed to execute shell commands with user-provided arguments (e.g., `/accept <ID...> [comment]`, `/proposals [filter]`, `/smsearch <query>`). If the OpenClaw agent concatenates user input directly into these commands without proper sanitization, it could lead to arbitrary code execution. Additionally, `AGENT-SETUP.md` poses prompt injection risks by instructing the agent to handle sensitive configuration (API keys, paths) and execute setup scripts. While the core functionality and LLM prompts appear benign and include self-imposed safeguards against sensitive data, these vulnerabilities allow for potential exploitation by a malicious user.

能力评估

✓ Purpose & Capability

The skill name/description (autonomous memory, proactive suggestions) lines up with the code and instructions: it ingests OpenClaw JSONL sessions, stores them in a local SQLite DB, runs consolidation/initiative jobs, uses an LLM provider (OpenRouter), and offers Telegram notifications and project tracking. Required binary is just node, which matches the Node.js implementation.

ℹ Instruction Scope

SKILL.md and AGENT-SETUP.md explicitly instruct running setup.js, creating cron/scheduler jobs, and running multiple scripts (ingest, consolidate, initiative, flush, etc.) that read session files and write to a local DB. This is within the stated scope. Two items to be aware of: (1) a CRITICAL pre-reset step instructs running flush.js to capture active session contents prior to resets (intended for data retention but will capture ephemeral session content), and (2) AGENT-SETUP.md instructs the agent to ask the user for their OpenRouter API key — users should be cautious about supplying secrets via an agent prompt.

ℹ Install Mechanism

The skill's install step runs npm install --production in the repo, which pulls dependencies declared in package.json (notably better-sqlite3, etc.). This is a standard package install from npm (no arbitrary URL downloads observed). better-sqlite3 is a native module and may require build tools. Registry metadata earlier said 'no install spec' while SKILL.md includes an install command — a minor metadata inconsistency but not a direct security indicator.

ℹ Credentials

The skill does not require OS credentials or unrelated secrets. It expects an OpenRouter API key (stored in config.json) and optionally Telegram bot token / Discord webhook for notifications — these are proportional to the stated functionality. One mismatch: registry/metadata lists no required env vars, yet setup and docs require an OpenRouter API key in config.json (not an env var). The agent-assisted setup suggests prompting the user to provide the OpenRouter key — treat that as sensitive and only provide it if you trust the skill/agent and understand billing implications.

ℹ Persistence & Privilege

The skill does not set always:true and does not alter other skills. However, setup.js installs persistent background jobs (crontab on Linux or scheduled tasks on Windows) that will run regularly and perform ingestion, consolidation, archival, and initiative tasks. This persistent scheduling is consistent with the skill purpose but is a meaningful level of system presence that the user should explicitly approve and review.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install secondmind
安装完成后，直接呼叫该 Skill 的名称或使用 /secondmind 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.4.0

## SecondMind v1.4.0 – "Project Tracker" ### New Features - **Project Tracking**: `/accept` automatically creates tracked projects - `/projects` command to view active/completed projects - `/complete` marks projects as done – permanently excluded from future suggestions - Initiative engine checks project state before suggesting (no duplicates) - Project count in `/status` output ### Fixes - **Initiative dedup overhaul**: Blacklist now covers ALL rejected/dead/completed proposals (was 7 days) - **Hard blacklist safety net**: Fuzzy keyword matching blocks reformulated duplicates even when LLM ignores instructions - **Explicit blacklist section in LLM prompt** with examples and strict rules - `/drop` now archives related knowledge entries to longterm (source dries up, not just the proposal) ### Breaking Changes - None. Migration runs automatically on first start.

v1.3.0

v1.3.0 – "From Suggestion Bot to Buddy" - Three-tier autonomous memory (short → mid → long-term) - Proactive initiative engine with social intelligence - Semantic deduplication (Hash → FTS → LLM) - Bulk feedback + natural language commands - Archive retrieval in initiative pipeline - Gentle reminders + auto-throttle - Telegram integration with full command set - All models via OpenRouter (~$0.60-1.65/month) Made by AI, for AI. Created by Emphaiser.

元数据

Slug secondmind

版本 1.4.0

许可证 —

累计安装 1

当前安装数 1

历史版本数 2

常见问题

SecondMind 是什么？

Autonomous three-tier memory with proactive initiative, project tracking, and social intelligence. Ingests OpenClaw conversations, extracts knowledge + emoti... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 1172 次。

如何安装 SecondMind？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install secondmind」即可一键安装，无需额外配置。

SecondMind 是免费的吗？

是的，SecondMind 完全免费（开源免费），可自由下载、安装和使用。

SecondMind 支持哪些平台？

SecondMind 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 SecondMind？

由 Emphaiser（@emphaiser）开发并维护，当前版本 v1.4.0。