Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Hogwarts Magical Claw for Research Laboratory
v1.0.0AI科研团队智能协作助手。用于:(1) 管理团队知识库和项目进度追踪 (2) 协助会议纪要整理、文献综述、实验记录 (3) 代码辅助和数据分析 (4) 按团队协议执行日/周工作循环。当团队成员在Issue、PR或即时通讯中@AI,或需要知识管理、项目进度监控、文档协作时触发。
⭐ 0· 152·0 current·0 all-time
byFang, Chao@biociao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (team knowledge & progress assistant) reasonably requires reading project docs, producing summaries, and creating commits. However, the SKILL.md also instructs writing to repository paths, running git commit/git push, and reading/writing files in /root/.openclaw — yet the skill declares no required config paths, environment variables, or credentials. That omission is an incoherence: the skill expects repository write/notification privileges and access to system paths without declaring or requesting them.
Instruction Scope
Runtime instructions explicitly tell the agent to: read many repo paths (docs/, meetings/, members/*), perform periodic HEARTBEAT checks every ~30 minutes, update members/RunWheezy knowledge and task files, create commit messages and push to a branch, and notify/team-mention members via IM (Matrix/Slack/etc.). These are concrete read/write and network-notification actions that go beyond simple passive assistance. The instructions also refer to creating files under /root/.openclaw and adding comments into other members' files in some cases — both of which are sensitive and not constrained by the metadata. There are also minor internal conflicts (protocol says other members' directories are read-only, but elsewhere shows annotating member files).
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes installation risk (no external archives or packages are pulled).
Credentials
The SKILL.md expects the agent to push commits and send notifications to IM channels, which normally require git credentials and messaging tokens, but requires.env is empty and primary credential is none. The skill also references system paths (e.g., /root/.openclaw/workspace/HEARTBEAT.md) and reading many members' files; those imply filesystem and credential access that are not declared or constrained. Requesting implicit access to repository write/push and IM channels without declaring them is disproportionate and risky.
Persistence & Privilege
The skill describes frequent periodic activity (every 30 minutes heartbeat checks, daily/weekly jobs, cron-style scheduling) and automatic proactive messaging. Although metadata does not set always:true, the operational behavior implies persistent, autonomous operations and write privileges (git push, file writes). Combined with missing declarations for credentials and system paths, this increases the blast radius if misconfigured or abused. The skill also instructs creating long-lived files and branches in the repo.
What to consider before installing
This skill plausibly does what it says (team assistant) but its runtime instructions require repository read/write access, git push capability, scheduled autonomous runs, and messaging tokens — none of which are declared. Before installing: 1) Ask the author which credentials/tokens and file-system paths the skill needs and why. 2) Only grant a dedicated service account with minimal repo permissions (write only to a restricted branch or a dedicated 'ai-assistant' namespace) and avoid giving access to root or other members' personal directories. 3) Protect branches (require PRs or human approval) so the skill cannot auto-push arbitrary commits. 4) Run the skill initially in read-only mode or a sandbox clone of the repo, and review all generated commits/files for several cycles. 5) Disable automatic 30-minute heartbeats until you confirm scheduling mechanics and limits. 6) Verify how IM/Matrix/Slack notifications are sent and provide only scoped, revocable tokens. 7) Confirm and enforce the 'human-in-the-loop' triggers in practice (so critical actions require explicit human approval). If the author cannot justify or document the required credentials and file-paths precisely, treat installation as high-risk.Like a lobster shell, security has layers — review code before you run it.
latestvk977mt73kkvbb29pefrpprcsnh835akf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.