ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Little Steve Task Manager

v0.1.7

小史任务管理器:面向 IM 场景的轻量任务系统,快速可用、与工作流高度融合,可在聊天中直接管理任务并支持每日汇总与自动状态更新。

1· 526·2 current·2 all-time
by@echoofzion
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description describe a lightweight IM task manager and the bundled files (SKILL.md, README, scripts/task.sh, data/*.json) implement exactly that. The required capability (jq) matches the script's use.
Instruction Scope
SKILL.md instructs the agent to run the included shell script with arguments; the script only reads/writes the skill's data/tasks.json and settings.json and calls only date and jq. There are no instructions to read other system files, environment variables, or contact external endpoints.
Install Mechanism
No install spec is provided (instruction-only with an included script). The only runtime dependency is jq (documented). Nothing is downloaded or executed from remote URLs.
Credentials
The skill requires no environment variables, no credentials, and no config paths. This is proportionate to a local task manager.
Persistence & Privilege
always is false and the skill does not modify other skills or global agent configuration. It persists state only to its own data/tasks.json (created with chmod 600).
Assessment
This skill appears to be a small, local task manager implemented in a shell script that uses jq and stores tasks in data/tasks.json. Before installing: ensure jq is available, review scripts/task.sh yourself (it runs with the agent/user privileges when invoked), and be aware it will create and update files under the skill directory (data/tasks.json/settings.json). The sample tasks.json contains a prank-like title "$(rm -rf /)" — that is just text in the data file and not executed by the script, but you may wish to clean sample data before use. If you plan to allow autonomous invocation, remember the script will run commands on your system with whatever rights your agent process has; run it in a restricted environment if you want extra safety.

Like a lobster shell, security has layers — review code before you run it.

latestvk97anfsx53ewm4v4wcb55hvdkh828rta

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments