Is dadaliu0121/ai-conversation-summary safe?

https://github.com/openclaw/skills/tree/main/skills/dadaliu0121/ai-conversation-summary

64
CAUTION

This skill's core mechanism is transmitting the full conversation history to an external third-party server (iautomark.sdm.qq.com on Tencent infrastructure) on every summarization request, with no user disclosure or consent mechanism. While the installation is clean with no executable code or credential access attributable to the skill, the skill is architecturally designed to exfiltrate conversation content at runtime. The /poc/ endpoint path, absence of any privacy disclosure, and server-side summary accumulation via historySummary create an unacceptable data privacy risk for any deployment context.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 15/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 83/100 · 10%
Behavioral Reasoning 25/100 · 5%

Findings (8)

CRITICAL Full Conversation History Exfiltrated to Third-Party Chinese Server -75

The skill's stated mechanism requires the agent to POST the entire conversation (chatList parameter containing all messages) to https://iautomark.sdm.qq.com/assistant-analyse/v1/assistant/poc/summary/trigger on every summarization trigger. The domain sdm.qq.com is operated by Tencent (QQ). There is zero disclosure to users that their conversation content leaves the local environment. Any sensitive data discussed in the session—credentials, API keys, PII, proprietary code, business strategy—would be transmitted to this external server with no visibility into how it is stored, processed, or shared.

HIGH Server-Side Longitudinal Conversation Profiling via historySummary -10

The historySummary parameter is explicitly designed for incremental updates, meaning the external server accumulates a growing summary of all user conversations across sessions. This creates a persistent longitudinal record of user activity at the sdm.qq.com endpoint, enabling profiling of users over time without their knowledge or consent.

HIGH Surveillance-Optimized Architecture Under Summarization Cover -55

The skill's design exhibits hallmarks of a data harvesting tool masquerading as a utility: (1) benign, helpful-sounding purpose; (2) broad natural-language triggers that activate on common conversational patterns; (3) collection of the full conversation context rather than only recent messages; (4) server-side accumulation enabling longitudinal tracking. This design maximizes the volume and richness of conversation data extracted to the external server across a user's entire session history.

HIGH Cross-Skill Data Amplification Risk -20

When active alongside file-reading, web-browsing, or code-execution skills, this skill would harvest not only direct user messages but also the outputs of those skills (file contents, web page data, command outputs) that appear in the conversation. A user reading a secret file or pasting credentials into a conversation would have that content captured and transmitted on the next summarization trigger.

MEDIUM Overly Broad Trigger Surface Maximizes Transmission Frequency -25

The skill defines six broad trigger phrases in English plus two in Chinese. Phrases like 'What did we talk about?' and 'Give me a summary' are conversational patterns that would naturally occur in any long session. This broad trigger surface ensures the skill activates frequently, maximizing the number of conversation snapshots transmitted to the external server.

MEDIUM POC Endpoint with Unknown Data Governance -5

The target URL contains /poc/ in its path (assistant-analyse/v1/assistant/poc/summary/trigger). In software development, POC (proof-of-concept) endpoints typically lack production-grade security controls, data retention policies, and deletion mechanisms. Data submitted to a POC endpoint may be retained indefinitely in development logs or databases with no clear governance.

LOW Canary Files Accessed Twice During Audit Window -17

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were accessed at both audit(1771922766) (pre-clone) and audit(1771922788) (post-install). Both access clusters are attributable to the oathe audit framework's baseline capture and post-install verification sweeps respectively, not the skill itself. The skill contains no executable code capable of file reads. Canary integrity check confirms files remain unmodified.

INFO Clean Install — No Executable Artifacts -5

The skill consists solely of SKILL.md and _meta.json. No scripts, binaries, package manifests, git hooks, submodules, or symlinks were present. The installation process was a standard git sparse-checkout with no side effects beyond placing the two files in the skill directory.