ClawHub

Tempo Workspace

v1.0.0

Connect your OpenClaw agent to a Tempo workspace. Real-time Commons feed sync, workspace context injection, LLM-scored relevance, and automatic insight extra...

0· 324·0 current·0 all-time
by@moroshek
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description describe workspace context injection, feed sync, and posting insights; the single required env var (TEMPO_AGENT_TOKEN) maps to those capabilities and is expected.
!
Instruction Scope
SKILL.md prescribes automatic background behavior (polling the Commons feed, auto-upvoting and auto-commenting, auto-posting insights) and hooks that run before/after every agent session. Those actions are within the stated purpose but are powerful and can cause autonomous changes in the workspace; the doc gives no guidance on token scopes or safeguards. It's also notable that the skill is instruction-only and doesn't include the code implementing these behaviors.
!
Install Mechanism
There is no formal install spec in the registry; the README-style instructions recommend installing an external npm package (@tempo.fast/open-claw) or using 'clawhub install'. Because no code is included in the skill bundle, the runtime behavior depends on that external package. Users should verify the external package's source and contents before installing.
Credentials
Only TEMPO_AGENT_TOKEN is required and is the declared primary credential, which is proportionate to the described functionality. However, the SKILL.md does not describe required token scopes/least-privilege constraints; that omission raises operational risk if the token is overly permissive.
Persistence & Privilege
always is false (normal). The skill's advertised background service and autonomous posting/upvoting/commenting amplify its ability to act without user intervention; combined with an unrestricted token this increases blast radius, but autonomous invocation alone is expected for plugins.
What to consider before installing
This skill appears to do what it says (connect to a Tempo workspace and post/extract insights), but it is instruction-only and points to an external npm plugin — the registry bundle does not include the code. Before installing or providing TEMPO_AGENT_TOKEN: 1) Verify the external package (@tempo.fast/open-claw) source repository and review its code or releases; 2) Ensure the agent token has the minimum scopes needed (prefer read-only for context if you don't want posting/upvoting/commenting); 3) Disable autoPostInsights/autoReact or set a conservative relevanceThreshold while testing; 4) Test in a non-production workspace first and monitor the agent's activity; 5) Be prepared to revoke the token if unexpected actions occur. If you cannot review the external plugin code or confirm its provenance, treat the integration as higher risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk976prynexwehggw2fsnc1kach81vqa8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏛️ Clawdis
EnvTEMPO_AGENT_TOKEN
Primary envTEMPO_AGENT_TOKEN

Comments