ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Project Sharing System

v1.0.0

项目共享系统 — 多 Agent 项目状态协作与自动发现

0· 63·0 current·0 all-time
byClement Gu@clementgu

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for clementgu/project-sharing-system.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Project Sharing System" (clementgu/project-sharing-system) from ClawHub.
Skill page: https://clawhub.ai/clementgu/project-sharing-system
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install project-sharing-system

ClawHub CLI

Package manager switcher

npx clawhub@latest install project-sharing-system
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (project-sharing, multi-agent project status) matches the included CLI, snapshot and backup scripts. The requested capabilities (list, show, add, update, sync, snapshot) align with the code. However some code paths reference different workspace locations (defaults to $HOME/.openclaw/workspace vs. __dirname/..), which is inconsistent with a single clear runtime workspace.
Instruction Scope
SKILL.md instructs Agents to read snapshots and use CLI; the scripts do exactly that (generate snapshots, print agent-parsable lines). They read/write projects_status.json, PROJECT_STATUS.md, create backups and memory files. No network endpoints or secret exfiltration are present. But the instructions grant the skill broad discretion to read and write multiple files in the user's CLAWHUB_WORKDIR or $HOME/.openclaw/workspace and to append to a 'memory' directory—actions not explicitly declared in SKILL.md.
Install Mechanism
No install spec — instruction-only with shipped scripts. That limits external code download risk. All code is bundled with the skill (no remote fetches or installers).
!
Credentials
SKILL metadata declares no required env vars, but the scripts use environment variables (CLAWHUB_WORKDIR, AGENT_ID). They default to $HOME/.openclaw/workspace or derive WORKSPACE from __dirname, so environment affects behavior. The skill also writes into a 'memory' directory and may append daily memory files. These env usages and file writes are reasonable for a project tool but are not declared and could cause the skill to read/write unexpected locations depending on environment.
Persistence & Privilege
always:false (normal). The skill writes/updates data files (projects_status.json, PROJECT_STATUS.md), creates backups and memory logs. One inconsistency: update_project_status.js writes to PROJECTS_JSON_PATH defined as path.join(__dirname, '..', 'projects_status.json'), which may modify the installed package's bundled JSON (i.e., files inside the skill directory) rather than a user workspace. That behavior is ambiguous and may result in the skill modifying its own shipped files or unexpected locations; it's not an overt privilege escalation but should be understood.
What to consider before installing
This package mostly does what its name says (CLI, snapshots, backups), but review these before installing: - Paths & env: scripts honor CLAWHUB_WORKDIR and AGENT_ID but the skill metadata declares no env vars. Confirm where projects_status.json and PROJECT_STATUS.md will be stored (user workspace vs. skill directory). - File writes: the tool will write/overwrite projects_status.json, PROJECT_STATUS.md, create backups and append to a 'memory' folder. Make backups of any existing project files first. - Ambiguity: update_project_status.js uses __dirname.. to locate projects_status.json which could cause it to modify files bundled with the skill instead of your workspace. Search/modify these paths to point to a safe workspace before using. - Run in a sandbox first: execute project sync / discover_projects.sh in a controlled environment (or with a test CLAWHUB_WORKDIR) to observe where files are created. - Minor bugs: there are small code inconsistencies (e.g., property names used in log entries) — expect noisy logs and test behavior. If you accept these caveats, install in a safe workspace and/or adjust the WORKSPACE/CLAWHUB_WORKDIR to a directory you control.
scripts/project.js:48
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk979xp7ttmzrfc93thshf4kg3n85dth3
63downloads
0stars
1versions
Updated 4d ago
v1.0.0
MIT-0
Clement Gu@clementgu
latest
Download

📋 项目共享系统

多 Agent 项目状态共享与协作系统。让所有 Agent 实时了解当前项目状态,支持自动发现、状态同步和历史追溯。

安装

clawhub install project-sharing-system

使用

安装后自动配置

安装完成后,项目系统会自动:

  • 创建 projects_status.jsonPROJECT_STATUS.md
  • 设置 project CLI 命令
  • 配置自动备份

CLI 命令

project list                    # 查看所有项目
project show <id>               # 查看项目详情
project add <id> --name "项目"  # 添加新项目
project update <id> --task "任务"  # 更新项目
project sync                    # 同步数据 + 备份
project snapshot                # 生成状态快照
project summary                 # 生成摘要报告

Agent 自动发现

在会话启动时,Agent 可以读取 projects_snapshot.md 快速了解当前项目状态。

组件

文件说明
projects_status.json核心数据文件
PROJECT_STATUS.mdMarkdown 视图
scripts/project.jsCLI 管理工具
scripts/project_snapshot.sh快照生成器
scripts/auto_backup.sh自动备份(保留30版本)
assets/dashboard.htmlHTML 仪表板

版本历史

版本日期说明
1.0.02026-04-23初始版本:CLI + 快照 + 备份 + 仪表板

Comments

Loading comments...