三只虾协作系统
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its collaboration purpose, but it asks users to install persistent background monitors and send external notifications with missing launchd config files and a hard-coded Feishu recipient.
Review the launchd plist files before installing; they are referenced but not included here. Replace the hard-coded /Users/zhangyang paths and Feishu recipient/webhook values with your own, and only enable the background heartbeat/fswatch services if you are comfortable with persistent monitoring of the task queue.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could be asked to install background services whose launch configuration is missing from the reviewed package.
The installer loads launchd plist files that are not present in the supplied file manifest, so the exact persistent programs that would be registered cannot be reviewed from the artifacts.
cp "scripts/com.openclaw.heartbeat.plist" "$LAUNCH_AGENTS_DIR/" cp "scripts/com.openclaw.fswatch.plist" "$LAUNCH_AGENTS_DIR/" ... launchctl load "$LAUNCH_AGENTS_DIR/com.openclaw.heartbeat.plist"
Do not load the LaunchAgents unless the plist files are present and reviewed; the publisher should include them in the package and document exactly what they run.
After setup, the skill can keep checking files and producing logs/notifications without the user manually running it each time.
The skill intentionally sets up persistent macOS LaunchAgents for heartbeat and file-change monitoring.
cp scripts/com.openclaw.heartbeat.plist ~/Library/LaunchAgents/ launchctl load ~/Library/LaunchAgents/com.openclaw.heartbeat.plist cp scripts/com.openclaw.fswatch.plist ~/Library/LaunchAgents/ launchctl load ~/Library/LaunchAgents/com.openclaw.fswatch.plist
Install only if you want persistent background monitoring, and keep the documented unload commands handy to disable it.
If followed as written, task results or private work details could be sent through the user's Feishu authority to the wrong hard-coded recipient.
The notification instructions use a specific Feishu user ID as the message target rather than requiring the installer to configure their own recipient.
message action=send channel=feishu target=user:ou_967d17eccf0faa8814004cc4f0458140 message="✅ 任务完成..."
Replace all hard-coded Feishu user IDs/webhooks with user-controlled configuration and require confirmation before sending external notifications.
Anyone or anything that can modify the shared task queue may influence what agents do next.
The collaboration design makes persistent shared files such as tasks/queue.md authoritative for future agent behavior.
1. 读取 tasks/queue.md 2. 检查是否有分配给自己的 [待处理] 任务 3. 如有 → 领取并执行
Restrict who can edit the queue and memory files, and review new tasks before allowing agents to execute them automatically.