Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Tick-Coord: Multi-Agent Task Coordination
v1.0.0Multi-agent task coordination via Git-backed Markdown (tick-md). Use when coordinating work across avatars or agents, managing tasks, tracking dependencies,...
⭐ 0· 60·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description match the SKILL.md: the skill is an instruction-only integration that drives a local 'tick' CLI to manage TICK.md and Git. However, the registry metadata and requirements omit things the SKILL.md clearly expects: skill.json notes 'node >=18' and that the tick CLI must be built/linked from '~/clawd/projects/tick-md/cli', yet the registry lists no required binaries or install steps. That mismatch (expecting a local dev build and Node/npm but not declaring them) is inconsistent and worth confirming.
Instruction Scope
SKILL.md instructs the agent to run many local CLI commands (tick init, add, claim, sync --push, agent register, etc.) and to access local files (TICK.md, ~/clawd/projects/...). Those actions are coherent with task coordination, but they include repository-modifying operations (commit/push) and agent registration which will write state. There are no instructions to phone home to unknown remote endpoints, but pushing to Git or interacting with an MCP server will use environment credentials not declared here.
Install Mechanism
This is instruction-only (no install spec) which is low-risk by itself. But SKILL.md points to rebuilding the CLI via 'cd ~/clawd/projects/tick-md/cli && npm run build' and skill.json requires Node. The registry should have declared these prerequisites explicitly or provided an install spec; the hardcoded local path is surprising and brittle.
Credentials
The skill declares no required environment variables or credentials, yet its instructions will implicitly use Git credentials (SSH keys or credential helpers) and potentially an MCP server (not detailed). There is a proportionality mismatch: actions like 'tick sync --push' and 'tick agent register' require write access to repositories or agent identity stores. The skill does not declare or justify these credential needs.
Persistence & Privilege
always is false and the skill does not request persistent system-wide changes in its metadata. However, runtime instructions include registering agents and committing/pushing to Git, which grant the skill the capability to modify project repositories. Autonomous invocation is permitted by default (normal for skills) — combined with the missing credential scope this increases potential risk if allowed to act without supervision.
What to consider before installing
Before installing or enabling this skill: 1) Confirm you have a trusted 'tick' CLI and understand where it came from — the SKILL.md references a local build path (~/clawd/projects/tick-md/cli) and requires Node/npm. 2) Expect the skill to read and modify local repositories (TICK.md), commit changes, and push to configured remotes — ensure Git credentials used by the agent have limited scope and that pushes are acceptable. 3) If you want to limit risk, run the skill in a sandbox or test repo, disable autonomous invocation or require manual approval for 'sync --push' operations, and verify any MCP server endpoints and credentials before use. 4) Ask the publisher for clarity: provide an install spec, explicit required binaries (tick, node, npm, git), and a description of what credentials (if any) the skill expects to use. These clarifications would reduce the ambiguity and raise confidence.Like a lobster shell, security has layers — review code before you run it.
latestvk972jqayh2m8t3t0ywmbm6dhwn83dsp8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.