Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AI员工协作技能包
v1.0.0AI员工协作技能包 - 多AI角色配置、任务自动分配、进度监控、结果汇报。适合想要自动化运营的团队。
⭐ 0· 381·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (AI team collaboration, task dispatch, monitoring, persistent memory, report generation) generally match the included employee-manager.js which handles employee CRUD and memory files; however SKILL.md and README describe multiple other components (task-dispatcher.js, status-monitor.js, report-generator.js, meeting-coordinator.js), templates/, package.json, and runnable commands (/assign, /meeting, npm start) that are not present in the file manifest. The declared capabilities therefore exceed the actual code provided, which is inconsistent.
Instruction Scope
Runtime instructions tell the user to run 'npm install' and 'npm start', edit config/workflow files, and use many CLI commands and templates. The provided code only implements a single CLI-like employee manager module; there is no package.json, no start script, and most referenced scripts/templates are absent. While the present code only does local filesystem read/write (config/, memory/), the instructions are misleadingly broad and grant the skill wide discretion in the user's project layout without actually providing the described functionality.
Install Mechanism
There is no install specification in the registry (instruction-only). SKILL.md instructs running 'npm install' and 'npm start', yet the repository lacks package.json and the other modules that would justify those commands. This mismatch is a red flag: the install/runtime instructions expect a larger codebase than is included.
Credentials
The skill requests no environment variables or external credentials. The code operates on local files (config/, memory/, templates/) which fits the stated purpose (local persistent memories and config). There are no network calls or requests for unrelated secrets in the visible code.
Persistence & Privilege
The skill does persistent local file operations (creates config/, memory/, archived memory). It does not request elevated platform privileges or set always:true. Its persistence is limited to its own directories under the repo (creating memory and config directories), which is expected for a local agent that stores 'memories'.
What to consider before installing
The documentation claims a full suite (task dispatcher, status monitor, report generator, templates, package.json and runnable commands) but the package only includes a single employee-manager.js and README/SKILL.md. Before installing or running: 1) inspect the repository root for package.json and the other scripts the docs mention (they're missing here); 2) run this code in an isolated/sandbox environment since it writes to ./config and ./memory and will persist data locally; 3) if you expected the full product, request the missing files from the publisher or prefer a released package from a known source; 4) search the codebase for any network calls or hidden endpoints (none are visible in employee-manager.js, but missing modules could introduce them); 5) backup any important data before allowing it to run because this skill will create and modify local files. The inconsistencies could be sloppy packaging or an incomplete release — treat it as untrusted until clarified.Like a lobster shell, security has layers — review code before you run it.
latestvk97e4by8pv7b824qxp53s8vn5s8240zs
License
MIT-0
Free to use, modify, and redistribute. No attribution required.