← 返回 Skills 市场
yf-memo
作者
Yi-Fan Song
· GitHub ↗
· v1.0.0
· MIT-0
226
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install yf-memo
功能描述
Personal memo and todo management system. Use when user expresses intent related to remembering, tracking, or managing tasks.
安全使用建议
This skill appears to be what it claims (a local memo/todo system) but has several implementation issues you should review before installing: 1) The hook and some docs reference template filenames (template-todo.md, template-done.md, assets names) that don't match the provided asset filenames (template-pending.md, template-completed.md) — running the hook as-is may fail or behave unexpectedly. 2) Several scripts and examples use sed -i '' (BSD/macOS syntax) which will break on many Linux systems; expect portability bugs. 3) The skill suggests editing ~/.bashrc, creating symlinks in ~/.local/bin, and adding cron jobs — these change your environment and should only be performed with your explicit consent after reading the hook/install commands. 4) The documentation contains both a directive to avoid hard-coded phrase-action mappings and an implementation doc that lists many exact regex patterns, which is an internal inconsistency (affects how the assistant may parse user text). Recommended actions: review the hook and scripts line-by-line (especially any cp, sed, or echo >> ~/.bashrc operations); run in a controlled environment (or sandbox) first; backup ~/.openclaw/workspace files before running hooks; and request corrected hook/assets from the author (or fix template names and sed compatibility) before enabling automatic setup or cron tasks.
功能分析
Type: OpenClaw Skill
Name: yf-memo
Version: 1.0.0
The skill implements a functional personal memo system but contains significant shell injection vulnerabilities. The `memo-helper.sh` script uses unsanitized user input directly within `sed` commands and shell arguments, which could be exploited to execute arbitrary commands if a user provides a crafted task description (e.g., containing backticks or semicolons). While the behavior appears aligned with the stated purpose of task management and no clear evidence of intentional malice or data exfiltration was found, the high-risk execution patterns in `SKILL.md` and `implementation.md` warrant a suspicious classification.
能力评估
Purpose & Capability
The skill is a local memo/todo manager and the scripts operate on ~/.openclaw/workspace/pending-items.md and completed-items.md which is coherent with the description. Required binary is only bash, which makes sense.
Instruction Scope
The SKILL.md instructs the agent to locate and execute local scripts and to read/write workspace markdown files — appropriate for a memo skill — but there are contradictory implementation notes: SKILL.md says "DO NOT" hard-code phrase→action mappings while references/implementation.md includes many exact regex patterns and parsing logic. The skill also suggests editing shell profiles and creating cron jobs (hooks/openclaw/HOOK.md and path-resolution examples), which broaden the scope to modifying user environment.
Install Mechanism
There is no remote download or installer (manual copy of directory is expected), which reduces supply-chain risk. However the included hook and path-resolution docs propose copying files, creating symlinks, and adding lines to shell profiles/crontab — all manual steps the user must review before running.
Credentials
The skill does not request credentials or env vars, which is appropriate. Still, documentation contains snippets that would append exports to ~/.bashrc, set up cron jobs, and copy files into the user's home; these are environment changes not strictly required just to store local todos and should be explicitly approved by the user. The hook also references template filenames that don't exist in the asset list (see detail), which could lead to unexpected behavior when run.
Persistence & Privilege
always is false and model invocation defaults are normal. The hook offers an optional auto-setup that can create files and optionally add a daily cron job — this gives the skill persistent scheduled execution if a user accepts the hook/cron, so the user should confirm before enabling. The skill does not request elevated system privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install yf-memo - 安装完成后,直接呼叫该 Skill 的名称或使用
/yf-memo触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
yf-memo 1.0.0
- Initial release of personal memo and todo management skill for OpenClaw.
- Supports intent-based task tracking, completion, and review through natural conversation.
- Handles addition, completion, status inquiry, and accomplishment review of tasks.
- Flexible language support (Chinese and English); prioritizes user intent over fixed commands.
- Installation and script usage instructions provided, including dynamic path handling.
元数据
常见问题
yf-memo 是什么?
Personal memo and todo management system. Use when user expresses intent related to remembering, tracking, or managing tasks. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 226 次。
如何安装 yf-memo?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install yf-memo」即可一键安装,无需额外配置。
yf-memo 是免费的吗?
是的,yf-memo 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
yf-memo 支持哪些平台?
yf-memo 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(darwin, linux)。
谁开发了 yf-memo?
由 Yi-Fan Song(@yfsong0709)开发并维护,当前版本 v1.0.0。
推荐 Skills