Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Add Task
v1.0.0creates draft task file in .specs/tasks/draft/ with original user intent
⭐ 0· 21·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (create draft task files under .specs/tasks/draft/) matches the overall actions in SKILL.md (generate task metadata and write a file). However the docs contain internal contradictions about the target folder and accepted types (see instruction_scope). No unrelated credentials or binaries are requested, which is consistent with the stated purpose.
Instruction Scope
The SKILL.md instructs filesystem writes and running a helper script — expected for this purpose — but contains concrete contradictions: (1) top-level description and many places say create files in .specs/tasks/draft/, while the 'Create Task File' block instructs the agent to use the Write tool to create .specs/tasks/todo/<name>.<type>.md; (2) 'Do NOT create files outside .specs/tasks/draft/' conflicts with the todo path; (3) Expected Output lists only types 'task|bug|feature' while other sections and examples include many extensions (refactor/test/docs/chore/ci), causing ambiguity; (4) the instructions reference an environment variable ${CLAUDE_PLUGIN_ROOT} to run a folder-creation script but the skill declares no required env vars. These inconsistencies could cause the agent to write files in the wrong place or fail to run the script.
Install Mechanism
No install spec and no code files — instruction-only skill. That minimizes install-time risk because nothing is downloaded or executed automatically beyond the platform-provided tools and whatever scripts the skill tells the agent to run locally.
Credentials
The skill does not request credentials (good), but it references an undeclared environment variable (${CLAUDE_PLUGIN_ROOT}) for running create-folders.sh. The SKILL.md reads that script from the plugin root; referencing env vars that aren't declared by the skill is a mismatch and should be clarified (the agent may fail or run an unexpected script if that variable is set to an unexpected path).
Persistence & Privilege
The skill is not always-enabled and doesn't request elevated or cross-skill configuration. It instructs writing files only into project-scoped .specs directories (which is coherent with its purpose).
What to consider before installing
This skill mostly does what it says (create draft task files) but the instructions are inconsistent and reference an undeclared environment variable. Before installing or using it, ask the author to: (1) fix the target path ambiguity (should files be created under .specs/tasks/draft/ or .specs/tasks/todo/?), (2) make the list of allowed issue types consistent across the document and expected output, (3) declare any environment variables the instructions rely on (e.g., CLAUDE_PLUGIN_ROOT) and explain what create-folders.sh does and where it comes from, and (4) confirm the skill will not overwrite existing files and that create-folders.sh is safe to run. If you cannot get those clarifications, treat the skill as untrusted because it may write files to unintended locations or execute an unexpected script path.Like a lobster shell, security has layers — review code before you run it.
latestvk978qq6h188m1xht6qcvkke8y5851649
License
MIT-0
Free to use, modify, and redistribute. No attribution required.