Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Project OS Organizer
v1.2.1Privacy-first, chat-first project manager for vibe coders. Track projects, capture updates, and resume work across local folders, Claude/Codex, and GitHub wi...
⭐ 0· 475·2 current·2 all-time
byJoseph Antonio Bozzo-Horwich@ldodee
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (local-first, chat-first project manager) aligns with requested binaries and env vars: only python3 is required and the optional env flags control chat indexing, GitHub sync, home discovery, and remote install. The scripts are wrappers that expect a separate project-os repo (project_os package) and will refuse or require explicit opt-in before performing remote clone/install.
Instruction Scope
SKILL.md directs the agent to run scripts/project_router.sh which in turn runs bootstrap/setup scripts and the project_os Python CLI. Those scripts will scan local roots and (if enabled) conversation roots and GitHub. By default chat indexing, home-discovery, GitHub sync, and remote install are disabled; enabling them is controlled by explicit environment variables (PROJECT_OS_INCLUDE_CHAT_ROOTS, PROJECT_OS_ENABLE_GITHUB_SYNC, PROJECT_OS_ENABLE_HOME_DISCOVERY, PROJECT_OS_AUTO_SETUP and PROJECT_OS_ALLOW_REMOTE_INSTALL).
Install Mechanism
No automated install spec in the registry; this is instruction+script based. Remote install is possible only when two opt-in flags are set and the repo URL matches a TRUSTED_REPO_URL; the remote clone uses a GitHub URL. There are no opaque downloads or URL shorteners in the codebase.
Credentials
The skill requests only PROJECT_OS_ROOT (or explicit remote-install opt-in) plus optional flags for chat/GitHub/home discovery. If you enable GitHub sync, the tooling will look for GITHUB_TOKEN or call the gh CLI; enabling chat indexing or home discovery allows scanning of local chat folders and user home subfolders. These env/credential needs are proportionate but enable access to potentially sensitive local data when turned on.
Persistence & Privilege
always is false and the skill does not request system-wide privileges. It creates data under $HOME/.project_os and may start a local dashboard (binds to PROJECT_OS_HOST:PROJECT_OS_PORT, default 127.0.0.1:8765). Daemonization is handled locally via daemonize_command.py. Nothing modifies other skills or global agent settings.
Assessment
This skill is coherent with its stated purpose, but it can access or index local chat transcripts, home directories, and GitHub only when you explicitly enable those options. Before installing or running: 1) Keep remote-install disabled unless you trust the repository and set PROJECT_OS_ROOT to a local checkout. 2) Only set PROJECT_OS_INCLUDE_CHAT_ROOTS=1 or PROJECT_OS_ENABLE_GITHUB_SYNC=1 if you want those features and understand they will read local chat folders or use your GITHUB_TOKEN / gh CLI. 3) Expect files under ~/.project_os and a local web dashboard at 127.0.0.1:8765 when started. 4) Review the upstream project-os repository (PROJECT_OS_REPO_URL / PROJECT_OS_TRUSTED_REPO_URL) before enabling auto-install. If you want a minimal footprint, leave all optional env flags unset and point PROJECT_OS_ROOT to a vetted local copy.Like a lobster shell, security has layers — review code before you run it.
latestvk970jgc1fxs858dpqbqdd5jr6s81q2m1openclawvk970jgc1fxs858dpqbqdd5jr6s81q2m1privacyvk970jgc1fxs858dpqbqdd5jr6s81q2m1productivityvk970jgc1fxs858dpqbqdd5jr6s81q2m1project-managementvk970jgc1fxs858dpqbqdd5jr6s81q2m1vibe-codingvk970jgc1fxs858dpqbqdd5jr6s81q2m1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🗂️ Clawdis
OSLinux · macOS · Windows
Binspython3
EnvPROJECT_OS_ROOT (required unless explicit remote install opt-in), PROJECT_OS_INCLUDE_CHAT_ROOTS=1 (optional), PROJECT_OS_ENABLE_GITHUB_SYNC=1 (optional)