ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Orchard

v0.2.5-rc.5

Agentic project and task management plugin for OpenClaw. Persistent SQLite-backed task board with a queue runner that auto-dispatches ready tasks as subagent...

0· 57·0 current·0 all-time
by@derp42
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The plugin implements exactly what its name/description state: a SQLite-backed task board, REST API, dashboard, and a queue runner that spawns subagent sessions. However the plugin documentation and manifest mention it will autonomously spawn subagents and requires operator-level write privileges for that behavior; the registry metadata presented to the evaluator shows no declared credential/permission requirement. This mismatch (behavior that requires elevated agent permissions vs. no declared credential) is unexpected and should be clarified.
Instruction Scope
SKILL.md and README instruct normal install and configuration and accurately describe agent tools, REST endpoints, and the queue runner behavior. The runtime instructions and code include an auth-forwarding standalone UI proxy that deliberately forwards the browser's Authorization header to the gateway (intended behavior), and the queue runner will dispatch ready tasks as subagents — both are within the stated purpose but significantly expand what the agent can do (autonomous dispatching and forwarding bearer tokens).
Install Mechanism
There is no external download/install step in the SKILL.md; source files and build scripts are present and dependencies are standard Node packages (better-sqlite3, TypeScript). No obscure URL downloads or archive extraction are used. The plugin appears packaged as an OpenClaw plugin and built locally via npm/tsc.
!
Credentials
The package declares no required runtime environment variables or credentials by default, but the README and config schema expose many optional debug env vars and a contextInjection.apiKey field (for embedding external KB providers). Crucially, the plugin's manifest and docs state it will spawn subagents and need operator.write scope, yet the registry metadata did not declare such a primary credential/permission. This is disproportionate: spawning subagents and performing operator-level actions requires elevated platform privileges and should be explicitly declared and gated.
Persistence & Privilege
always:false and standard autonomy settings are used (the agent may invoke the skill autonomously, which is platform-default). The plugin starts a standalone UI proxy by default bound to loopback; the code refuses non-loopback binds unless uiServer.allowUnsafeBind is explicitly set. The combination of autonomous subagent spawning + potential operator.write scope increases blast radius if misconfigured, but the skill does not request permanent 'always' inclusion and does not appear to modify other skills' configs.
What to consider before installing
What to consider before installing Orchard: - Clarify permissions: confirm whether the plugin requires operator.write or other elevated gateway permissions to spawn subagents, and only grant the minimal scope needed. - Run in a sandbox first: install and exercise Orchard in a local/dev OpenClaw instance (use ORCHARD_DEBUG_LOG_ONLY=1 and ORCHARD_DISABLE_ALL_SPAWNS=1) before enabling spawns on a production gateway. - Keep the standalone UI loopback-only: do not enable uiServer.allowUnsafeBind or change bindAddress from 127.0.0.1 unless you understand the network exposure; the UI proxy forwards browser Authorization headers to the gateway. - Treat gateway tokens carefully: avoid embedding tokens in HTML; use localStorage token entry as recommended and rotate tokens if you suspect exposure. - Audit any configured contextInjection.apiKey or third-party API keys: only provide such keys if you trust the provider and understand how injected context will be used/stored. - Review config.settings (dbPath, limits, debug flags) before enabling in multi-user or shared environments; set tight limits on concurrent executors and disable architects/spawns if you want manual control. - If you need more assurance, ask the author to explicitly document required OpenClaw permission scopes and provide a minimal-permissions deployment guide. If that clarification is not available, consider classifying the plugin as higher-risk and avoid granting elevated privileges.

Like a lobster shell, security has layers — review code before you run it.

latestvk9779hz96npr4bahz6t2110t4h83xjv1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments