← 返回 Skills 市场
Voice Reminder
作者
smallKeyboy
· GitHub ↗
· v1.0.0
· MIT-0
62
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install voice-reminder
功能描述
Use when user wants to make an outbound call or send a voice reminder, including delayed calls like "X分钟后给XX打电话" or "通知XXX做YYY". Also trigger on general noti...
安全使用建议
This skill appears to implement outbound/scheduled calls, but review before installing. Key points to consider:
- It sends phone numbers and message text to https://cljy.51znyx.com/marketservice/aisp/addSingleTask (hardcoded). If you are not comfortable with that domain receiving PII, do not install.
- The scheduler builds and runs a shell command with user-controlled fields using shell=True (sleep + python ... '&'). This is vulnerable to command injection if untrusted text reaches the script; sanitize or avoid running on systems where untrusted input can be passed.
- The scripts write scheduled_tasks.json in the repository/workspace — consider privacy and retention of contact data.
- There is no install spec; the environment must have Python and the 'requests' package available. The code includes hardcoded task/user IDs instead of a documented API key or config.
Recommendations:
1) Inspect and/or host the code yourself; change BASE_URL/IDs or require configurable credentials; do not rely on hardcoded identifiers.
2) Replace shell-based backgrounding with a safer scheduler (e.g., use an agent scheduler, multiprocessing, or subprocess without shell and with properly quoted arguments), and validate/escape all user-provided strings.
3) Confirm the trustworthiness and privacy policy of the external endpoint before allowing the skill to run with real phone numbers.
4) If you must use it but want safer operation, run it in an isolated environment (container) and remove or sandbox network access to the external domain.
功能分析
Type: OpenClaw Skill
Name: voice-reminder
Version: 1.0.0
The skill bundle contains a critical shell injection vulnerability in `scripts/schedule_call.py` where user-provided content is passed directly into `subprocess.Popen` with `shell=True`. It also includes hardcoded API credentials and a history file (`scheduled_tasks.json`) containing PII such as names and phone numbers. While the code appears to legitimately implement a voice reminder service via `https://cljy.51znyx.com`, the lack of input sanitization and inclusion of sensitive data in the bundle are high-risk indicators.
能力评估
Purpose & Capability
Name/description map to making outbound calls and scheduling reminders, and the code implements that. However the implementation embeds a hardcoded BASE_URL and several hardcoded task/user IDs rather than using a configurable credential; that is unexpected but plausibly an internal integration. The hardcoded contacts and phone numbers are consistent with the stated purpose.
Instruction Scope
SKILL.md instructs the agent to run the included Python scripts, which is consistent, but the scheduler script spawns shell background jobs with subprocess.Popen(..., shell=True) using user-controlled 'contact' and 'phone_content' values. This creates a command injection risk. The scripts also read/write scheduled_tasks.json and send phone numbers and message content to an external HTTP API — both are beyond ephemeral in-memory activity and warrant scrutiny.
Install Mechanism
This is instruction-only for install (no install spec). The skill includes Python scripts that require a Python interpreter and the 'requests' library; no packaging/install guidance is provided, so runtime failures are possible. Lack of an install spec is low-risk in itself but means dependencies are not enforced.
Credentials
The skill requests no environment variables or credentials, but it transmits personally identifiable data (phone numbers and message text) to an external host (https://cljy.51znyx.com). There are hardcoded task and user IDs in the code — unusual to see identifiers baked in without explanation. Even though no secrets are required, the skill will send user-supplied content off-host, which may be disproportionate if the user did not expect an external service call.
Persistence & Privilege
The scheduler creates persistent effects: it writes/updates scheduled_tasks.json on disk and launches background shell processes (sleep ... &), which will continue outside the agent's immediate runtime. This grants the skill the ability to run long‑lived subprocesses on the host and accumulate persistent state.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install voice-reminder - 安装完成后,直接呼叫该 Skill 的名称或使用
/voice-reminder触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: outbound call and voice reminder skill
元数据
常见问题
Voice Reminder 是什么?
Use when user wants to make an outbound call or send a voice reminder, including delayed calls like "X分钟后给XX打电话" or "通知XXX做YYY". Also trigger on general noti... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 62 次。
如何安装 Voice Reminder?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install voice-reminder」即可一键安装,无需额外配置。
Voice Reminder 是免费的吗?
是的,Voice Reminder 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Voice Reminder 支持哪些平台?
Voice Reminder 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Voice Reminder?
由 smallKeyboy(@smallkeyboy)开发并维护,当前版本 v1.0.0。
推荐 Skills