ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Task Detection + Proactive Thinking

v1.0.0

Incomplete task detection + proactive thinking. Automatically scans task status, identifies anomalies, generates solutions, and attempts auto-fixes.

0· 67·0 current·0 all-time
byjason-tiger@opendolph
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (scan HEARTBEAT.md/WORKING.md, detect anomalies, suggest fixes) aligns with the included script which reads task files and writes detection logs. However the script uses a hard-coded absolute WORKSPACE path ('/Users/openclaw/.openclaw/workspace') rather than a relative path or an environment variable; that is brittle and unusual. Writing into the agent memory folders (memory/hot, memory/warm) is consistent with a task-skill but the hard-coded user path means it will only run correctly on a specific path and may unexpectedly read files from a user's home directory.
!
Instruction Scope
SKILL.md instructs the agent to read HEARTBEAT.md and WORKING.md and to push critical alerts via Feishu. The distributed code implements file reads/writes and generation of logs, which is expected. However SKILL.md promises Feishu pushes and integration with 'ClawMemory'/'three-layer memory', but the code contains only a console placeholder for Feishu (no implemented network call) and does not declare or use Feishu credentials. The 'auto-fix' behavior is advertised as attempting fixes, but the tryAutoFix function is effectively a no-op (it never performs action besides categorizing alerts), so behavior described in docs and behavior in code diverge.
Install Mechanism
No install spec — instruction-only skill with a shipped script. Nothing downloaded or executed from remote sources during install, which reduces installer risk.
!
Credentials
SKILL.md and README mention pushing alerts via Feishu and integration with memory/ClawMemory, but package metadata requires no environment variables or credentials. If Feishu notifications or external integrations are enabled, credentials (tokens/API keys) would normally be required; their absence in requires.env is an inconsistency and could lead to silent failures or to maintainers later adding network code that expects credentials. Also the code writes into the agent memory directory without requesting explicit permission/configuration.
Persistence & Privilege
always:false and no special privileges are requested. The script does create and write files under the workspace memory directories (memory/hot, memory/warm) — expected for this kind of skill but worth noting: it will persist detection results and thinking logs to disk within the agent workspace.
What to consider before installing
This skill is largely what it says (scans task files and writes logs), but I recommend caution before installing: - Review and fix the hard-coded WORKSPACE path: scripts/detect.js uses '/Users/openclaw/.openclaw/workspace'. Change this to a configurable path (env var or relative path) so it doesn't accidentally read/write files in an unexpected home directory. - Confirm Feishu behavior: README/SKILL.md mention pushing alerts to Feishu, but the script only logs a placeholder. If you plan to enable Feishu alerts, require and provide explicit environment variables (FEISHU_TOKEN/APP_ID/etc.) and audit any added network code for endpoints and scopes. - Inspect and sandbox first: run the script in a sandboxed environment (or with a copy of your workspace) to verify it only reads the expected HEARTBEAT.md/WORKING.md and writes task-alert.md/thinking-log.md where you want them. - If you don't want persistent writes, modify the script to write to a safe location or disable writing. The script will create memory/hot and write logs without prompting. - If you expect auto-fix functionality, note it is minimal/placeholder in current code; don’t rely on it to change upstream tasks automatically. If you want me to produce a small patch to make the WORKSPACE configurable (use an env var with a fallback) and to add explicit checks or to stub Feishu integration safely, tell me and I can generate it.

Like a lobster shell, security has layers — review code before you run it.

latestvk9744m7npav6ayjq4b4ebf3m4x83hex3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments