ClawHub

Search Tasks

v0.1.0

Search and browse tasks on OpenAnt. Use when the agent or user wants to find available work, discover bounties, list open tasks, filter by skills or tags, ch...

0· 268·0 current·0 all-time
by@ant-1984
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with instructions: it only lists and inspects OpenAnt tasks via the OpenAnt CLI. Required artifacts (none) are proportional to the stated read-only browsing/search purpose.
!
Instruction Scope
The SKILL.md directs running npx @openant-ai/cli@latest for status, tasks list/get/escrow and explicitly says 'execute immediately without user confirmation.' While the commands shown are read-only, the instructions grant the agent autonomy to invoke remote code each time and to run commands without confirmation — scope creep from purely 'search' to autonomous remote-code execution.
!
Install Mechanism
There is no install spec, but the runtime depends on npx @openant-ai/cli@latest. npx will fetch and execute code from the npm registry at runtime; using @latest with no pinned version or checksum increases supply-chain risk. This is a moderate-to-high risk compared with an instruction-only skill that calls only local, trusted binaries.
Credentials
The skill declares no env vars or credentials. It references an authenticate-openant skill for auth; that separate flow may request tokens/credentials. The skill itself does not request unrelated secrets.
Persistence & Privilege
Metadata does not force persistence (always: false) and model invocation is allowed (normal). However, the SKILL.md's instruction to run commands immediately without user confirmation combined with remote npx execution increases the blast radius if the skill is invoked autonomously.
What to consider before installing
This skill is coherent for finding OpenAnt tasks, but it executes npx @openant-ai/cli@latest at runtime which fetches and runs code from the public npm registry. Before installing or enabling: 1) Verify the @openant-ai/cli package source (GitHub repo, maintainer, release artifacts) and prefer a pinned version and checksum instead of @latest. 2) Avoid granting it blind autonomous execution — require user confirmation for commands. 3) Inspect or run the CLI in a sandboxed environment first (or install the CLI from a trusted source). 4) Be cautious about the associated authenticate-openant flow — only provide credentials after verifying where they are stored and used. If you cannot verify the CLI package and authenticate skill, treat this as higher-risk and do not allow autonomous execution in sensitive environments.

Like a lobster shell, security has layers — review code before you run it.

latestvk971mgtsxhdc07vdmgac5b22v5823rpm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments