ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

letcairn.work

v1.0.2

Project management for AI agents using markdown files. Install and use the cairn CLI to create projects, manage tasks, track status, and coordinate human-AI collaboration through a shared workspace of markdown files.

0· 1.6k·0 current·1 all-time
by@gregoryehill

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for gregoryehill/cairn-cli.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "letcairn.work" (gregoryehill/cairn-cli) from ClawHub.
Skill page: https://clawhub.ai/gregoryehill/cairn-cli
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install gregoryehill/cairn-cli

ClawHub CLI

Package manager switcher

npx clawhub@latest install cairn-cli
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (AI project management with markdown) matches the SKILL.md content and CLI commands. However, the skill instructs installing an external npm package (cairn-work) and creating ~/cairn files even though the registry metadata declares no required config paths or install spec — a modest mismatch between claimed runtime requirements and declared metadata.
!
Instruction Scope
SKILL.md instructs agents to read and use auto-generated files under ~/cairn/ (AGENTS.md, .cairn/planning.md) and implies agents will 'read automatically.' That is coherent for a workspace tool, but the wording is vague and the registry doesn't declare those config paths. Any agent file access to the user's home directory could expose unrelated data if file-scope rules aren't enforced.
!
Install Mechanism
There is no install spec in the registry (instruction-only), yet the SKILL.md explicitly tells users to run 'npm install -g cairn-work'. Installing a global npm package pulls code from the public registry and may run install/postinstall scripts; the registry provides no provenance or vetted install mechanism here, which increases risk if the package or its maintainer are untrusted.
Credentials
The skill requests no environment variables, credentials, or special config paths in registry metadata. That is proportionate to a local filesystem-based CLI tool. The remaining concern is implicit file access to ~/cairn rather than secret env access.
Persistence & Privilege
No 'always' flag is set and disableModelInvocation isn't set (defaults allow model invocation). This means the agent could potentially invoke the CLI if allowed; combined with the SKILL.md claim that agents 'read automatically', users should confirm agent runtime permissions and whether autonomous invocation is intended.
What to consider before installing
This skill appears to do what it says (manage projects via a local markdown workspace) but has two practical concerns you should address before installing: (1) provenance of the 'cairn-work' npm package — review the package page and its source repo (postinstall scripts, maintainer, recent activity) and preferably inspect its code before running a global install; (2) filesystem access — the tool creates and expects ~/cairn and the SKILL.md implies agents will read those files automatically, so verify what file access your agent runtime will allow (limit to the ~/cairn folder, sandbox the CLI, or require explicit user invocation), and back up any existing data. If you need lower risk, run the CLI in a disposable/sandboxed environment or request the registry include an explicit install spec and declared config paths so permission boundaries are clear.

Like a lobster shell, security has layers — review code before you run it.

ai agentsvk977668121zzyqyxak62e7v87580n84sautomationvk977668121zzyqyxak62e7v87580n84sclivk977668121zzyqyxak62e7v87580n84scollaborationvk977668121zzyqyxak62e7v87580n84sdeveloper toolsvk977668121zzyqyxak62e7v87580n84skanbanvk977668121zzyqyxak62e7v87580n84slatestvk977668121zzyqyxak62e7v87580n84smarkdownvk977668121zzyqyxak62e7v87580n84snodejsvk977668121zzyqyxak62e7v87580n84snpmvk977668121zzyqyxak62e7v87580n84sproductivityvk977668121zzyqyxak62e7v87580n84sproject managementvk977668121zzyqyxak62e7v87580n84stask managementvk977668121zzyqyxak62e7v87580n84sworkflowvk977668121zzyqyxak62e7v87580n84s
1.6kdownloads
0stars
1versions
Updated 7h ago
v1.0.2
MIT-0
@gregoryehill
ai agentsautomationclicollaborationdeveloper toolskanbanlatestmarkdownnodejsnpmproductivityproject managementtask managementworkflow
Download

Cairn — AI-Native Project Management

Cairn gives you and your AI agent a shared workspace of markdown files for managing projects and tasks. Statuses are the shared language. Any AI that can read files is ready to go.

Installation

npm install -g cairn-work
cairn onboard

cairn onboard creates ~/cairn/ with auto-generated context files (AGENTS.md and .cairn/planning.md) that agents read automatically.

Community

Core Commands

Workspace

  • cairn status — Overview with task counts
  • cairn my — Your assigned tasks
  • cairn active — All in-progress tasks
  • cairn doctor — Diagnose workspace health

Projects & Tasks

  • cairn create project "Name" --description "..." --objective "..." — Create a project with charter
  • cairn create task "Name" --project <slug> --description "..." --objective "..." — Create a task
  • cairn list tasks [--status pending,in_progress] [--project slug] — List tasks with filters
  • cairn search "keyword" — Find tasks by content

Task Workflow

  • cairn start <task-slug> — Begin work (sets in_progress)
  • cairn note <task-slug> "Progress update" — Add a status note
  • cairn artifact <task-slug> "Artifact Name" — Create a linked deliverable
  • cairn done <task-slug> — Finish work (moves to review or completed)
  • cairn block <task-slug> "Reason" — Mark as blocked

Maintenance

  • cairn update-skill — Refresh context files after CLI updates
  • cairn upgrade — Update CLI to latest version

Workspace Structure

~/cairn/
  AGENTS.md                  # Agent context (auto-generated)
  .cairn/planning.md         # Planning guide (auto-generated)
  projects/
    project-slug/
      charter.md             # Why, success criteria, context
      artifacts/             # Deliverables (design docs, proposals, etc.)
      tasks/                 # Individual task markdown files
  inbox/                     # Ideas to triage
  memory/                    # Workspace memory

Statuses

pendingnext_upin_progressreviewcompleted (or blocked at any point)

Autonomy Levels

Set per-task to control how much the agent can do:

  • propose — Agent plans only, finishes in review
  • draft — Agent does work, you approve before shipping
  • execute — Full autonomy, finishes as completed

Tips

  • Run cairn onboard first — it sets up everything the agent needs.
  • Use cairn my to see your current workload at a glance.
  • Artifacts (cairn artifact) create linked deliverables stored with the project.
  • All data is plain markdown with YAML frontmatter — version control friendly.

Comments

Loading comments...