Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
opclawtm CLI
v1.0.2opclawtm 让用户通过 CLI 快速构建 AI Agent 团队协作网络。一键创建团队、接入飞书群聊、编排任务工作流——管理者分配任务、执行者完成工作、审核者验收成果。内置预设资料库,开箱即用。基于 OpenClaw 平台的完整团队协作解决方案。
⭐ 1· 70·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, and npm install of opclawtm align with a CLI team-management tool. However, the runtime docs instruct the user to run 'openclaw gateway' (a different binary) and reference ~/.openclaw paths, while the skill only declares opclawtm as a required binary—this mismatch is unexpected and should be clarified (either the environment must also provide an 'openclaw' binary or the docs are inconsistent).
Instruction Scope
Instructions direct the agent to run standard CLI checks (node version, npm install, opclawtm commands), use the TUI, and read local product files (logs, workspace/skills directories). Reading ~/.openclaw/logs/gateway.log and workspace directories is coherent for configuring bots and verifying artifacts, but it means the Skill instructs access to local logs and agent workspaces—which is functionally justified but sensitive. The guide also asks users to copy App ID/Secret into the TUI (expected), and to send a long requirement payload into Feishu (expected for a delegated workflow).
Install Mechanism
Install uses an npm package (opclawtm) which is a common, traceable mechanism and creates the opclawtm binary. No arbitrary URL downloads or archive extraction are specified.
Credentials
The skill declares no environment variables or external credentials, which fits. However, it asks users to paste Feishu App Secret into the TUI (normal for OAuth-style setup) and instructs reading local logs for 'ou_' IDs. Two red flags: (1) the documentation suggests obtaining test activation codes by privately messaging a TikTok/抖音 account number (1594204110) — unrelated third-party contact that could be a scam or leak channel; (2) the docs reference running 'openclaw gateway' (another component) without declaring it as a dependency, implying additional implicit privileges or services are required.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. There is no instruction to modify other skills' configs or system-wide settings beyond using the product's own files and TUI. Normal persistence characteristics.
What to consider before installing
This skill appears to be a CLI helper for the OpenClaw opclawtm product and uses npm for installation, but take these precautions before installing: 1) Clarify the 'openclaw' vs 'opclawtm' mismatch — the docs tell you to run `openclaw gateway` but the package provides `opclawtm`; ensure you know what additional binary/service (openclaw) is required. 2) Verify the npm package and homepage: inspect the opclawtm package owner, its repository/source code, and release provenance before installing globally. 3) Be cautious about secrets: the workflow asks you to paste Feishu App Secret into the TUI — confirm the TUI is local and not sending secrets to an unknown remote. 4) Treat the TikTok/抖音 contact for test codes as suspicious: do not share credentials or sensitive info through that channel; prefer official support channels (verify opclawtm.com contact). 5) Because the skill reads local logs and workspace directories (~/.openclaw/), consider installing and testing in a sandboxed account or VM first. If you need higher assurance, request the package source or an explanation from the publisher about the openclaw dependency and the official activation/test-code process.Like a lobster shell, security has layers — review code before you run it.
latestvk970d9dev25t3dvxdg12v60fhx84hrp8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🤖 Clawdis
Binsopclawtm
Install
Install opclawtm CLI (npm)
Bins: opclawtm
npm i -g opclawtm