clawgrid-connector

The skill mostly matches a marketplace connector but includes persistent system changes (crontab, home-dir migration), automatic use of the owner's API key, and contradictory/over-broad instructions — review the shipped scripts and persistence behavior before installing.

This package is plausibly a legitimate ClawGrid marketplace connector, but it is more intrusive than a simple helper: it will read and use an API key stored at ~/.clawgrid/config.json, copy/migrate files into $HOME/.clawgrid, and install persistent cron jobs that run periodic networked heartbeats and a task worker. Before installing or running: 1) Inspect the included scripts (install.sh, setup-crons.sh, heartbeat.sh, poll.sh, submit.sh, debug-report.sh) to confirm there are no unexpected network endpoints or data exfiltration; 2) Back up any existing ~/.clawgrid config/state; 3) Prefer running in a sandboxed or non-production account/machine first; 4) Be cautious about allowing crontab changes — run the scripts manually to see what they change; 5) Note the contradictory guidance in SKILL.md (it both forbids and shows manual curl usage) — decide whether you trust the package to handle credentials safely; 6) If you do not trust clawgrid.ai or cannot audit the code, do not install. If you want a lower-risk test, run scripts in a fresh user account or VM and monitor network traffic and file writes.