Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (team collaboration: projects, tasks, bugs, docs, milestones) matches the provided SKILL.md, skill.json, and index.js functions. The code implements HTTP calls to a localhost backend exposing the expected endpoints (projects, tasks, bugs, documents, etc.), so required capabilities align with the stated purpose.
Instruction Scope
SKILL.md and index.js limit activity to a local backend (http://localhost:8080) and front-end (http://localhost:12345). The instructions and code only reference those local endpoints and defined API actions. Note: because the skill will call localhost endpoints, it can perform any action that remote endpoints expose (including create/delete operations); ensure it will be pointed at a trusted/test instance to avoid unintended destructive actions.
Install Mechanism
There is no install spec (no downloads or package installs), which is low risk. However, the package includes an index.js file (server/client code) that will be executed by the platform when the skill runs — there is no external fetch or archive extraction. This is expected for a packaged client library, but the presence of code (versus purely prose SKILL.md) means you may want to review the file if you have concerns.
Credentials
The skill declares no required environment variables, credentials, or config paths. The code stores an in-memory token after login but does not request secrets from the environment or other unrelated services. The requested scope (none) is proportionate to a local API client.
Persistence & Privilege
always is false and model invocation is allowed (platform default). The skill does not request persistent system-wide privileges or modify other skills. It keeps a runtime token in memory only and does not write persistent credentials or config.
Assessment
This skill is a local HTTP client for a team-collaboration backend and appears coherent with that purpose. Before installing: (1) confirm you intend the agent to contact a local service at http://localhost:8080 — the skill will make real API calls (including create/update/delete) to whatever service is running there; (2) point it at a test or trusted instance to avoid accidental destructive operations; (3) review index.js if you want to confirm there are no remote endpoints beyond localhost; (4) note the skill saves an auth token in memory after login and will use it for subsequent requests (it does not request host environment secrets). If the package requested external network hosts, environment secrets, or downloads, that would increase risk — none of those are present here.Like a lobster shell, security has layers — review code before you run it.
latestvk9722e3sfgafbtkf8rae0q2m4182t7rb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.