← 返回 Skills 市场
123
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install skill-c-fetch-minutes
功能描述
【会后纪要抓取与issue草稿生成】每10分钟由 OpenClaw cron 触发一次。负责在会议结束后从腾讯会议拉取转录与AI智能纪要,由 OpenClaw 做两阶段issue抽取,生成 draft_issue.md 等四个文件并提交到 Gitea,最后通知组织者审核。不处理会议创建、会前简报、issue落地等场景。
安全使用建议
Before installing or enabling this skill:
- Note the manifest/registry declares no required env vars, but the code and setup script require a config file at ~/.config/skill-c-fetch-minutes/.env and the variables GITEA_BASE_URL, GITEA_TOKEN_BOT, and AIFUSION_META_REPO. Do not provide credentials until you confirm these requirements.
- The GITEA_TOKEN_BOT grants repository and meta-repo access (read/write). Use a dedicated bot account with the minimum necessary scopes (only the specific repos and meta-repo), not a personal or org-wide admin token.
- The env-example contains an IP address (43.156.243.152:3000). Verify the intended Gitea host and do not point credentials to unknown hosts.
- setup.sh will run pip install -r requirements.txt (uses --break-system-packages). Run setup inside an isolated environment (virtualenv, container) rather than on your system Python to avoid system-wide changes.
- Review the code paths that call the Gitea API (gitea_utils.py, log_utils.py, commit_content.py, scan.py) to ensure behaviour and targets are acceptable (which repos will be enumerated via /repos/search and what the token can access).
- If you want to proceed, consider: create a least-privilege bot token limited to specific repos and meta repo; run the skill in an isolated environment; and test against a staging Gitea instance first.
If you want, I can list the exact lines where the code reads env vars and calls Gitea APIs and suggest minimal token scopes to grant.
功能分析
Type: OpenClaw Skill
Name: skill-c-fetch-minutes
Version: 1.0.2
The skill bundle automates meeting minutes processing but contains a significant security vulnerability in `scripts/commit_content.py`. The script accepts arbitrary file paths via command-line arguments (e.g., `--transcript-file`) and uploads their contents to Gitea without path sanitization or directory restricted validation. This creates a risk of arbitrary file exfiltration; if the AI agent is manipulated via prompt injection to provide paths to sensitive local files (such as `~/.ssh/id_rsa` or `.env` files), the script will read and upload them to the Gitea repository. While the behavior aligns with the stated purpose, the lack of input validation on file operations is a high-risk flaw.
能力评估
Purpose & Capability
The skill's name/description describe a cron-driven post-meeting flow that pulls transcripts (via a separate tencent-meeting-skill), runs AI extraction in OpenClaw, and commits files to Gitea. The included code implements Gitea scanning, status updates, file upsert, and logging—which matches the described purpose. However the registry metadata declared no required env vars/config paths while the code and SKILL.md require a config file at ~/.config/skill-c-fetch-minutes/.env and Gitea-related environment variables. That mismatch between declared requirements and real requirements is an incoherence worth noting.
Instruction Scope
The SKILL.md instructions and scripts are scoped to scanning Gitea repos, updating meeting statuses, writing files to Gitea, and producing email payloads. The skill does not itself call Tencent Meeting APIs (it delegates that to another skill) and it does not attempt to read arbitrary unrelated files. It does read ~/.config/skill-c-fetch-minutes/.env for configuration (declared in SKILL.md), which is appropriate for its operation.
Install Mechanism
There is no formal install spec in the registry, but the bundle includes a setup.sh that runs pip install -r requirements.txt (PyPI packages). This is a common install path but means code will install Python packages on the host. setup.sh uses pip with --break-system-packages which can be intrusive on some systems; there are no downloads from unknown URLs or archives in the manifest.
Credentials
The registry metadata lists no required environment variables or config paths, yet the code and setup script require and use GITEA_BASE_URL, GITEA_TOKEN_BOT, and AIFUSION_META_REPO (via ~/.config/skill-c-fetch-minutes/.env). Those are sensitive: the Gitea token is used for repository search, reading and writing files, and writing logs into the meta repo. The skill will therefore need a token with read/write access to managed repos and the meta repo; that privilege should be minimised and explicitly requested in metadata. Also env-example contains an IP-based Gitea endpoint (43.156.243.152:3000) — it's only an example but you should confirm the intended host before providing credentials.
Persistence & Privilege
The skill is not marked always:true. It does modify repositories and write logs to a meta repo (expected for its purpose). It does not attempt to modify other skills' configs. However because it writes to repositories and the meta log, the Gitea token should be scoped to the minimum necessary privileges; this is a privilege consideration rather than an incoherence.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install skill-c-fetch-minutes - 安装完成后,直接呼叫该 Skill 的名称或使用
/skill-c-fetch-minutes触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
- Adds a mandatory 20-minute grace period after meeting end before post-processing starts; only meetings ended for over 20 minutes are processed.
- `scan` now includes a `ready_for_postprocess` flag and only returns eligible meetings; `set-waiting` requires this condition and returns `skipped=true` if not met.
- B and C class meeting scanning fields enhanced (`meeting_end_time`, `ready_after_time`, etc.) for improved timing and retry logic.
- Workflow and error handling updated: meetings not past the 20-minute waiting window are skipped until eligible, ensuring accurate status transitions.
- No code or file logic changes; documentation and workflow are aligned for stricter, safer meeting post-processing.
v1.0.1
- Now supports processing meetings in both `scheduled` and `brief-sent` states after meeting ends, ensuring the workflow continues even if the pre-brief is skipped.
- Enhanced `scan` and `set-waiting`: add compatibility for `scheduled` status, not just `brief-sent`.
- Improved robustness to handle late-started meetings—A类 (class_a) now includes both `scheduled` and `brief-sent` meetings.
- Updated documentation with key compatibility logic and clearer instructions about supported meeting statuses.
v1.0.0
skill-c-fetch-minutes v1.0.0
- Initial release.
- Automates post-meeting transcript fetching from Tencent Meeting and AI summary retrieval.
- Runs every 10 minutes, managing meeting status transitions and error handling.
- Performs two-stage AI extraction to generate and commit four key files (transcript.md, ai_summary.md, minutes.md, draft_issue.md) to Gitea.
- Sends notification emails to organizers for review or manual transcript upload if needed.
- Excludes meeting creation, pre-meeting briefs, and direct issue creation.
元数据
常见问题
skill-c-fetch-minutes 是什么?
【会后纪要抓取与issue草稿生成】每10分钟由 OpenClaw cron 触发一次。负责在会议结束后从腾讯会议拉取转录与AI智能纪要,由 OpenClaw 做两阶段issue抽取,生成 draft_issue.md 等四个文件并提交到 Gitea,最后通知组织者审核。不处理会议创建、会前简报、issue落地等场景。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 123 次。
如何安装 skill-c-fetch-minutes?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install skill-c-fetch-minutes」即可一键安装,无需额外配置。
skill-c-fetch-minutes 是免费的吗?
是的,skill-c-fetch-minutes 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
skill-c-fetch-minutes 支持哪些平台?
skill-c-fetch-minutes 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 skill-c-fetch-minutes?
由 myd2002(@myd2002)开发并维护,当前版本 v1.0.2。
推荐 Skills