Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ZenTao Analytics
v1.0.0禅道任务数据分析技能。访问禅道数据库/API,分析员工任务数据(数量、工时、难度),计算工作效率和工作饱和度。使用场景:团队绩效评估、工作量分析、资源分配优化、项目进度监控。
⭐ 0· 382·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (ZenTao analytics) matches the code and docs: the skill legitimately needs access to a ZenTao API or database to compute task and workload metrics. Requiring ZENTAO_URL, ZENTAO_API_KEY or DB credentials is coherent with the stated purpose. However, the registry metadata claims no required environment variables while the SKILL.md and scripts clearly expect environment variables for API/DB access — this mismatch is unexpected and should have been declared.
Instruction Scope
SKILL.md instructs the agent/user to configure env vars and run node scripts. The included analyze/export scripts read process.env and local files only and currently use simulated data (fetchTaskData is a stub). The docs reference additional test scripts (test-connection.js/test-db-connection.js) and an api-schema.md that are not present; the README also mentions exporting 'to external systems' but export-metrics.js only writes local JSON/CSV. The instructions therefore over-promise and refer to files/actions that aren't included, which increases risk if users run it expecting working network/DB behavior.
Install Mechanism
There is no install spec (instruction-only with a couple of scripts). That is low risk from an install perspective — no remote downloads or package installs are performed by the registry metadata. However, the scripts assume a Node environment and any missing runtime dependencies or package.json are not declared here.
Credentials
The skill requires sensitive credentials (ZENTAO_API_KEY, or DB credentials including ZENTAO_DB_USER/ ZENTAO_DB_PASS) to perform its function — that is reasonable for this purpose. The problem is the registry metadata does not declare any required environment variables or primary credential, so users won't be warned by the installer. Also the SKILL.md suggests using a read-only DB account (good), but the code has no safeguards and there is no guidance to avoid using high‑privilege accounts. The missing declaration and lack of explicit guidance about credential scope are concerning.
Persistence & Privilege
The skill does not request 'always: true' and does not attempt to modify other skills or system-wide settings. It runs on demand and writes only local output files when invoked, which is consistent with its purpose.
What to consider before installing
This skill appears to be an analytics helper for ZenTao and is not obviously malicious, but it's incomplete and inconsistent. Before installing or running it: 1) Do not run it with production/root DB credentials — create a limited read‑only account or use a test instance. 2) Expect that the scripts are partially stubbed: fetchTaskData is a demo and there are missing helper scripts (test-connection.js) and no package.json; ask the author for a full implementation and dependency list. 3) Verify where credentials are stored (use a secure .env and avoid committing secrets). 4) Review the code locally to ensure no hidden network endpoints or exfiltration paths were added, and test on a sandboxed ZenTao instance first. 5) If you need the registry to show required env vars, request that the publisher update metadata to declare ZENTAO_URL, ZENTAO_API_KEY and/or DB credentials explicitly and provide guidance on least-privilege credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97c7f5efmpcn7ak070banf9yh8234ae
License
MIT-0
Free to use, modify, and redistribute. No attribution required.