ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

TaskFlow 3.0

v3.0.0

TaskFlow 3.0 - Agent-Native 项目化任务调度系统。 AGENT INSTRUCTIONS: 1. Read PROJECT.yaml from project directory 2. Parse meta/content/target/constraints/workflow 3. E...

0· 65·0 current·0 all-time
by深圳王哥@manwjh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The declared purpose (agent-native project/task scheduler) aligns with the code and SKILL.md: scripts read PROJECT.yaml, compute scheduling, and record history. However there are several mismatches: package.json advertises CLI sh wrappers (bin/taskflow.sh, bin/scheduler.sh) that are not present; SKILL.md and package.json indicate a Python+pyyaml requirement but some code (edit-project.py and meta-planner.py) use json.load on PROJECT.yaml (which should be YAML), risking corruption of YAML config files. These discrepancies are not consistent with a cleanly implemented scheduler.
Instruction Scope
SKILL.md instructs the agent to read PROJECT.yaml, resolve paths relative to a workspace, execute workflow steps, and update executions.json — all within the expected scope. The meta-planner prompt and scripts explicitly instruct reading many files under the user's home (e.g., ~/.openclaw/.../intel/.p0-alert, vault/*.md, workspace memory files) and to use external 'browser' tools to publish. Reading local workspace and memory is expected for a scheduler, but the prompt encourages accessing potentially sensitive 'intel' vault files — which is within function but worth highlighting.
Install Mechanism
There is no remote install step (instruction-only + included scripts), so no network download risk. The metadata suggests pip install of pyyaml (reasonable for YAML parsing). However, package.json claims Node CLI sh wrappers that don't exist in the repo, which is an implementation inconsistency (users following SKILL.md may expect a provided CLI).
Credentials
The skill requests no environment variables or external credentials, which is proportionate. However the code repeatedly reads files under the user's home directory (Paths like ~/.openclaw/workspace-zsxq, ~/.openclaw/workspace/intel/vault, etc.). Access to those local files is consistent with a project scheduler, but they may contain sensitive data (the 'intel' vault). No external tokens are requested, but the skill expects the agent to use external tools (browser) for publishing, which would require platform credentials not managed by the skill.
Persistence & Privilege
The skill is not always-included and does not request elevated platform privileges. It does not modify other skills or system-wide agent settings. Autonomous invocation is allowed (platform default) but not combined with other high-risk indicators here.
What to consider before installing
Things to consider before installing/running: - Backup your workspace/projects before running: the code reads and writes PROJECT.yaml and history files under ~/.openclaw workspaces. edit-project.py uses json.load/json.dump on PROJECT.yaml (a YAML file) and may convert or corrupt YAML configs — inspect and test on copies first. - Inspect the 'intel' and 'memory' files the scripts reference (e.g., ~/.openclaw/.../intel/*.md, workspace memory) — they may contain sensitive information; the meta-planner explicitly reads these to decide publishing. - package.json claims CLI sh wrappers that are missing; the advertised 'taskflow' commands in SKILL.md may not exist as-is — expect to run the provided Python scripts directly or validate/implement missing wrappers. - The code uses different hardcoded workspace paths across files ('.openclaw/workspace', '.openclaw/workspace-zsxq', etc.) and SKILL.md uses OPENCLAW_WORKSPACE or pwd — this inconsistency can cause the skill to read unexpected directories. Confirm which workspace path will be used and test behavior in a sandbox. - No external credentials are requested by the skill itself, but publishing steps described in prompts assume use of external browser/tools that require credentials; ensure those credentials are provided only to trusted tools and not to this skill implicitly. - If you proceed: run the scripts in a restricted/sandbox environment, inspect outputs, and correct the JSON/YAML handling and missing bin wrappers before using on real projects.

Like a lobster shell, security has layers — review code before you run it.

latestvk9783yn423zfc5h284yr4s0xs983p6b8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3

Comments