Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Team Task Dispatch
v0.1.0Coordinate team task execution on OpenAnt. Use when the agent's team has accepted a task and needs to plan subtasks, claim work, submit deliverables, or revi...
⭐ 0· 334·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description match the instructions: the SKILL.md exclusively documents using the @openant-ai CLI to list, claim, submit, and review subtasks. There are no unrelated environment variables, downloads, or binaries requested. Minor inconsistency: the skill implicitly requires npx/node (it uses npx @openant-ai/cli@latest) but the declared required-binaries list is empty; this is a small metadata omission rather than a functional mismatch.
Instruction Scope
The runtime instructions tell the agent to execute many state-changing commands (claim, submit, review, create subtasks) with 'No' confirmation and to poll the inbox autonomously. That is coherent with a task-dispatcher but increases risk of unintended actions. The SKILL.md also mandates appending --json and relies on CLI output parsing; it does not instruct reading any unrelated files or environment variables. Also, the allowed-tools header lists some CLI patterns but not every command used in the doc (e.g., submit/review/start), which may be a tooling/metadata mismatch.
Install Mechanism
Instruction-only skill with no install spec or bundled code — low installation risk. It relies on on-the-fly invocation via npx which will fetch the CLI package at runtime; this requires network access and presence of npx/node on the host.
Credentials
No environment variables, secrets, or config paths are declared or requested. Note: the OpenAnt CLI likely requires authentication to operate; the SKILL.md does not describe how credentials are provided (e.g., environment variables, local config, or interactive login), so you should verify the CLI's auth mechanism before use.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and does not claim persistent system privileges. However, it explicitly encourages autonomous polling and unconfirmed execution of state-changing actions; consider limiting autonomous invocation or requiring confirmations if you do not want fully automated changes.
Assessment
This skill appears to do what it says: run the OpenAnt CLI to manage subtasks. Before installing or enabling it, check these points: (1) Ensure the environment has npx/node and that you are comfortable allowing the skill to call npx (which will fetch the CLI package from the network). (2) Verify how the OpenAnt CLI authenticates — the SKILL.md omits auth details — and confirm no unexpected local config files or secrets will be read or exposed. (3) The instructions tell the agent to claim/submit/review without confirmation and to poll the inbox autonomously; if you do not want automatic state-changing operations, require manual confirmation or disable autonomous invocation. (4) The SKILL.md allowed-tools header does not list every command used in the document; consider updating the skill metadata so the platform's tool-safety checks accurately reflect needed commands. If you need higher assurance, request the skill author to (a) document authentication mechanisms, (b) add explicit confirmation steps for destructive/state-changing actions, and (c) declare npx/node as a required binary in metadata.Like a lobster shell, security has layers — review code before you run it.
latestvk975xm0mv6d6nbmzgae9yebrrx823yks
License
MIT-0
Free to use, modify, and redistribute. No attribution required.