ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

APPM: Atlas-Parallel Project Management

v2.2.0

Manages AI Agent project memories by creating and updating .openclaw/MISSION.md and SNAPSHOT.md for parallel project progress tracking.

0· 81·0 current·0 all-time
by@hanchunlee
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (project snapshot/mission management) aligns with the included scripts (init.py, appm_recall.py, appm_update_weights.py) and templates. However README/SKILL.md mention additional tooling and features (appm_tracker.py, atlas_bootstrap.py, appm_init_dual.py, an 'openclaw appm' CLI, and a background tracker) that are not present in the bundle — a documentation vs. implementation mismatch.
!
Instruction Scope
SKILL.md instructs the agent to 'must force read' .openclaw/MISSION.md and SNAPSHOT.md and to update snapshots on milestones — which is within expected scope. But instructions also claim background auto-execution and dynamic tracking (automatic keyword tracking, boot-time anchoring) and reference data/appm_registry.json without clarifying the registry path; the actual scripts use ~/.openclaw/workspace/data/appm_registry.json. The SKILL.md/README promise features not implemented by the included scripts, creating ambiguity about what the agent will actually execute.
Install Mechanism
No install spec (instruction-only) — lowest install risk. But the bundle includes runnable Python scripts; without an install step these files will simply be present and can be executed by the agent or user. There are no network downloads or obfuscated installers in the package.
Credentials
The skill requests no environment variables or external credentials. The scripts read and write files under the user's home (~/.openclaw/workspace/data/appm_registry.json and LOGBOOK.md) and project .openclaw directories — this is proportionate to the stated purpose, but those home-registry files could contain paths or metadata referencing arbitrary project directories, so they should be reviewed before use.
Persistence & Privilege
The skill does not request 'always:true' and does not modify other skills or system-wide agent settings. It does write to its own data paths (home workspace and project .openclaw), which is expected for persistence.
What to consider before installing
This package is not clearly fraudulent, but it contains inconsistencies you should resolve before trusting it. Steps to take before installing/using: 1) Inspect the included files (scripts/*.py and templates) to confirm behavior — they run locally and only read/write .openclaw files and ~/.openclaw workspace. 2) Open ~/.openclaw/workspace/data/appm_registry.json (if it exists) and inspect its contents and referenced project paths — it may point to arbitrary directories. 3) Note missing pieces claimed in docs (appm_tracker.py, atlas_bootstrap.py, appm_init_dual.py, and the 'openclaw appm' CLI): ask the author or vendor how those features are provided. 4) Test in a sandbox or non-critical environment first; back up any .openclaw folders you care about. 5) If you plan to allow autonomous agent invocation, be aware the agent could run these Python scripts and modify files under your home directory and project folders; limit privileges and monitor file changes. If the author cannot explain the doc/code mismatches or provide the missing scripts, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97897vfwxdwey23p3k8mt61y584r50d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments