Yoyoalphax Zentao1
v1.0.0Integrates ZenTao project management APIs to query and manage products, projects, executions, stories, tasks, bugs, and related data via unified interface.
⭐ 0· 86·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description claim to integrate ZenTao APIs; the repository includes two client libraries (REST and legacy) and a CLI script that call ZenTao endpoints. Required functionality (query/create/update/delete on ZenTao resources) is implemented in the included code and aligns with the stated purpose.
Instruction Scope
SKILL.md explicitly instructs the agent to read ZenTao credentials from a local TOOLS.md file, parse user commands, authenticate to the specified ZenTao host, and call the service's APIs. All referenced files/paths are within the skill (TOOLS.md, requirements.txt, lib/, scripts/) and the runtime actions (network calls to user-specified ZenTao endpoint) are consistent with the skill's function. The instructions require installing Python deps and running code that will execute the bundled libraries.
Install Mechanism
There is no automated install spec; SKILL.md recommends pip3 install -r requirements.txt which only lists requests and beautifulsoup4. This is low-to-moderate risk and expected for a Python CLI package. No external download URLs or opaque installers are used.
Credentials
The skill requests no environment variables but requires a local plaintext TOOLS.md file that contains the API URL, username and password. Storing credentials in a plaintext file is a security risk; while coherent with the skill's design, a more secure pattern (environment variables or secret storage) would be preferable. No unrelated credentials or config paths are requested.
Persistence & Privilege
always:false and no indication the skill modifies other skills or system-wide agent settings. The skill is instruction-only for runtime behavior and does not request persistent elevated privileges.
Assessment
This skill appears to do what it claims: it will read ZenTao credentials from a local TOOLS.md file and call the ZenTao REST/legacy APIs. Before installing or running it: (1) inspect the TOOLS.md file and avoid committing it to version control—consider using environment variables or a secrets manager instead; (2) review the included Python files yourself (they currently form requests to the user-supplied ZenTao endpoint, which is expected) and run in an isolated virtual environment prior to installing dependencies; (3) note a minor metadata inconsistency (owner/slug/version differences across _meta.json, package.json, and the registry metadata) — this is not necessarily malicious but worth verifying the publisher's identity if you require provenance; (4) if you must run this in a production environment, prefer a least-privilege account on the ZenTao instance and audit any network traffic to ensure credentials are only sent to your ZenTao host.Like a lobster shell, security has layers — review code before you run it.
latestvk97d985dghkgfftk60b6aexgfd8398qj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.