Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ideas2tasks
v1.0.1將 /Users/claw/Ideas 中的臨時想法自動分類、拆解為敏捷專案任務。 觸發條件:用戶提到「idea轉task」「ideas2tasks」「想法拆分」「專案規劃」「task管理」, 或要求掃描 Ideas 目錄、建立專案任務、分配團隊成員。
⭐ 0· 71·0 current·0 all-time
bygentoobreaking@openclawchen8-lgtm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The core purpose (scan /Users/claw/Ideas, create /Users/claw/Tasks, split ideas into tasks and archive processed files) aligns with the code and SKILL.md. However the code also implements optional integrations (Telegram notifications, GitHub Issue/Board sync via the gh CLI, creation of GitHub blob URLs) that are not declared in the skill metadata or requires.env. These integrations are plausibly related (reporting / issue sync) but should have been declared up-front.
Instruction Scope
Runtime instructions and shipped scripts will read and write user files under /Users/claw (Ideas, Tasks), move files into _done/, create and update README and task files, spawn agents (mapped agent IDs) and send external network requests (Telegram API) and call the GitHub CLI. SKILL.md mentions scanning, creating tasks, archiving, sending Telegram, and spawning agents, but it does not mention GitHub CLI usage, nor does it declare that it will read ~/.qclaw/gold_monitor_config.json. The code also contains logic to update files permanently — e.g., shutil.move — so data will be modified/moved on disk. The skill's instructions are not fully explicit about required credentials and side effects.
Install Mechanism
No install spec — this is instruction+script bundle. No network-based installer or archive download. That reduces supply-chain concerns; risk comes from running included scripts, not from an installer.
Credentials
The code reads environment variables TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID and falls back to a config file at ~/.qclaw/gold_monitor_config.json; it also expects the gh CLI to run (implying GitHub credentials available to gh). None of these credentials/config paths are declared in the skill metadata. Requesting access to Telegram/GitHub auth is plausible for notifications and issue sync, but the absence of declared required env vars and the presence of a fallback config path are inconsistent and increase surprise/risk.
Persistence & Privilege
always:false and model invocation allowed (default). The skill writes to the user's filesystem (creates/moves files) and recommends daily cron execution; it does not request forced permanent inclusion. These file writes are coherent with the purpose, but the ability to spawn agents and invoke external network operations combined with file modifications increases the operational impact if misused. No evidence it modifies other skills' configs.
Scan Findings in Context
[SUBPROCESS_SHELL_TRUE] expected: executor.py runs 'gh' via subprocess.run(..., shell=True) to create GitHub issues. Using gh is coherent for issue sync, but shell=True with constructed command strings can be risky (injection if inputs are not fully sanitized). The code does escape double-quotes for titles but still constructs a shell command string.
[UNDECLARED_TELEGRAM_ENV] expected: lifecycle.py uses TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID environment variables and falls back to ~/.qclaw/gold_monitor_config.json. Using Telegram for notifications is plausible, but these env vars/config paths are not declared in the skill metadata (requires.env is empty), which is an incoherence.
[HARDCODED_HOME_PATHS] expected: Scripts operate on hardcoded /Users/claw/Ideas and /Users/claw/Tasks and read ~/.qclaw/gold_monitor_config.json. Hardcoded paths match the stated purpose but increase risk if run under a different user or if assumptions about the home layout differ.
[GITHUB_CLI_INTEGRATION] expected: executor.py contains GitHub owner/repo constants and logic to create issues via the gh CLI. GitHub sync is reasonable for a task automation tool, but it implies the need for gh and authenticated credentials — again not declared in the metadata.
What to consider before installing
Before installing or running this skill, review and test locally rather than running it on your main account: 1) Inspect scripts (lifecycle.py, executor.py, sync_status.py, task_completion_hook.py) yourself to confirm the actions are acceptable (they will move files into _done/ and modify task/README files). 2) Run in dry-run modes first (many scripts support --dry-run) and back up /Users/claw/Ideas and /Users/claw/Tasks. 3) Be aware the code will attempt to send Telegram messages and call the gh CLI to create GitHub issues — ensure TELEGRAM_BOT_TOKEN / TELEGRAM_CHAT_ID and gh credentials are intentionally provided; if you don't want remote actions, unset those envs and remove/disable GitHub sync code. 4) Note the executor uses subprocess with shell=True; ensure task titles or idea contents cannot be manipulated to inject shell commands in your environment. 5) If you will allow cron or automated runs, prefer running inside an isolated environment/container or a dedicated user with limited access. 6) If anything is unclear or you need the skill to avoid external sync, ask the author to (a) declare required env vars, (b) avoid shell=True usage or use subprocess with argument lists, and (c) document exactly when files will be moved or network calls made.Like a lobster shell, security has layers — review code before you run it.
latestvk97cf0pthpgexztar9w7yne2f584ynyc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.