Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
禅道MCP agent pro
v1.1.0禅道(ZenTao) MCP大模型能力扩展包。提供跨项目的数据聚合视图、一句话生成任务、无缝报工(Log Effort)、自动状态流转等四组原生能力。
⭐ 1· 319·0 current·0 all-time
by@chenish
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, CLI examples, and LLM tool calls (getDashboard, createTask, addEstimate, etc.) are coherent for a ZenTao management assistant — the declared npm package and created binaries (zentao-mcp, zentao-cli) are consistent with the described capabilities.
Instruction Scope
SKILL.md instructs the agent to call specific tools and to use the CLI for login and operations — instructions stay within the stated purpose (querying, creating tasks, logging effort, state transitions, extracting links). It also references team caches and local 'team save' state: the skill will read/write local CLI configuration/state, which is reasonable but not explicitly declared.
Install Mechanism
Install is via an npm package (@chenish/zentao-mcp-agent) that creates CLI binaries. Using npm is normal for a CLI, but the skill metadata provides no homepage/source repository or publisher information. Without a verifiable upstream (repo, homepage, or known maintainer), installing unknown npm code that creates binaries is a higher-risk operation.
Credentials
The skill declares no required env vars, but runtime instructions require logging in with a ZenTao account (zentao-cli login --url ... --account <账号> --pwd <密码>) and imply local caching of team lists/credentials. Requesting user ZenTao credentials is expected for this integration, but the skill does not document where/how credentials and tokens are stored, nor does it declare any required config paths — this opacity raises a proportionality/credential-handling concern.
Persistence & Privilege
always is false and the skill is user-invocable. It does create CLI tooling that may persist configuration locally (team cache, login tokens), which is expected for a CLI helper but not over-privileged relative to its purpose.
What to consider before installing
This skill appears to do what it says (ZenTao task dashboard, create tasks, log effort, etc.), but exercise caution before installing: 1) Verify the npm package source and maintainer (look up @chenish/zentao-mcp-agent on the npm registry, inspect its repository and recent commits). 2) Prefer installing in a sandbox or VM first; review the package contents (especially any code that runs on install or creates binaries). 3) Understand where credentials will be stored — avoid supplying privileged admin credentials unless you trust the publisher. 4) If possible, create a limited ZenTao account (least privilege) for the integration. 5) If you need higher confidence, ask the publisher for a repository link, a published changelog, or a signed release; providing those would increase my confidence and could change the verdict to benign.Like a lobster shell, security has layers — review code before you run it.
latestvk97cm7xkvc16qgwkhwh6p4em5982sjdd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🚀 Clawdis
Install
Install ZenTao AI Assistant
Bins: zentao-mcp, zentao-cli
npm i -g @chenish/zentao-mcp-agent