ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

类Manus任务规划Planning With Files 2.26.1

v1.0.0

Implements Manus-style file-based planning to organize and track progress on complex tasks. Creates task_plan.md, findings.md, and progress.md. Use when aske...

0· 66·0 current·0 all-time
by@kakaxiazai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (file-based planning, persistent markdown files, session recovery) match the included templates, scripts, and SKILL.md hooks. The scripts (init-session, check-complete, session-catchup) and templates are appropriate for creating/updating task_plan.md, findings.md, and progress.md. No unrelated binaries, credentials, or installs are requested.
Instruction Scope
Runtime instructions and hooks read and write the planning files in the user's project directory (expected). The session-catchup script inspects prior session JSONL files under a sanitized path in the user's home (e.g., ~/.claude/projects/<sanitized>/*.jsonl) to produce an 'unsynced context' report — this is coherent for crash/recovery but means the skill will read historical session contents (user/assistant messages and tool uses). Review this behavior if you consider prior session contents sensitive.
Install Mechanism
No install spec; it's mainly instruction-only with bundled scripts and templates included in the package. No network downloads or extraction from third-party URLs are present. This is low-risk from an install perspective.
Credentials
The skill declares no required credentials or env vars. It does reference CLAUDE_PLUGIN_ROOT (fallbacks to $HOME/.claude/plugins/...) and expects Python/powershell availability, which is proportional to implementing session-catchup and cross-platform hooks. There are no secrets requested, but the skill accesses files under the user's home (session stores) — not a credential leak but a privacy surface to consider.
Persistence & Privilege
always is false and the skill does not request persistent platform-level privileges or modify other skills. Its hooks run local scripts within the plugin folder or project directory and report status; this is appropriate for a planning tool.
Assessment
This skill appears to do what it says: create and manage three markdown files and help resume work by scanning previous sessions. Before installing or enabling it, consider: 1) The session-catchup script will read sanitized session JSONL files in your home directory (e.g., ~/.claude/projects/...), which can contain prior user/assistant messages and tool outputs — if those may include sensitive data, avoid running the catchup step or review the script and its target path first. 2) The hooks execute simple shell commands (cat, head, tail) and will run the packaged scripts (init-session.sh, check-complete.sh, session-catchup.py) on your machine; inspect these files if you have concerns. 3) No network installs or secrets are requested by the skill. If you trust the source and are comfortable with local session scanning for recovery, the package is coherent for its purpose; otherwise disable or remove the catchup/run hooks that access session storage.

Like a lobster shell, security has layers — review code before you run it.

latestvk9724hwy9357tyrqr5n5pkxrdh83s5d6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments