Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Opclawtm Skill
v1.0.4opclawtm 让用户通过 CLI 快速构建 AI Agent 团队协作网络。一键创建团队、接入飞书群聊、编排任务工作流——管理者分配任务、执行者完成工作、审核者验收成果。内置预设资料库,开箱即用。基于 OpenClaw 平台的完整团队协作解决方案。
⭐ 0· 64·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (team collaboration via opclawtm CLI) matches the declared requirement to have the opclawtm binary and an npm install of package 'opclawtm'. This is coherent. However, multiple documents reference 'openclaw' (e.g., 'openclaw gateway', ~/.openclaw/ paths), which is inconsistent with the declared binary 'opclawtm' and the install target. That mismatch could be a harmless typo or indicate the instructions expect another tool/daemon that isn't declared.
Instruction Scope
Most runtime instructions stay within the expected scope (install, version, license, list-agents, guiding user to use TUI). But the skill explicitly instructs the agent to read local logs (cat ~/.openclaw/logs/gateway.log | grep "ou_") to extract user Open IDs — this touches user-specific files and potentially sensitive identifiers. The instruction set also tells the agent to guide users through creating third-party (Feishu) apps and to have users paste App ID/App Secret into the TUI; although the skill forbids the agent from creating bots or doing TUI business actions itself, the log-reading and secret-handling steps are delicate and worth flagging. The 'openclaw' vs 'opclawtm' command discrepancy also appears inside instructions (gateway startup) and is unexplained.
Install Mechanism
Install is via npm package 'opclawtm' which is the expected way to install a CLI Node package. This is a typical install mechanism (moderate risk compared to direct downloads). There is no direct download URL or extract step. The registry/package owner is not detailed here — verify the npm package and homepage before installing.
Credentials
The skill does not declare or request environment variables or credentials in the metadata, which aligns with a CLI helper. However, instructions require reading local logs (~/.openclaw/logs/gateway.log) to extract Open IDs and instruct the user to copy App Secret values into the TUI — both involve sensitive data. No external credentials are requested by the skill itself, but the agent is asked to access user-local artifacts which may contain secrets/IDs.
Persistence & Privilege
The skill does not request always:true and has no elevated persistence. It's instruction-only and relies on an external CLI; it does not modify other skills or system-wide agent configs per the provided files.
What to consider before installing
This skill mostly does what it says: install the opclawtm CLI and guide a user through TUI-based setup of teams and Feishu bots. Before installing or using it, verify the npm package 'opclawtm' and the homepage (look up the package on the npm registry and check opclawtm.com) to ensure they are legitimate. Be aware of these issues: (1) the docs reference a different binary and paths ('openclaw' and ~/.openclaw) — ask the maintainer to clarify or confirm if that is a typo; (2) the skill's instructions tell the agent to read local logs (~/.openclaw/logs/gateway.log) to find user IDs — only allow that if you consent to exposing those local identifiers; (3) the workflow requires creation of Feishu App ID/App Secret and pasting them into the TUI — never paste secrets into chat or third-party places; perform secret entry only in the official TUI and do not let the agent transmit them elsewhere; (4) test license/activation flows and any 'test codes' (the Douyin contact) cautiously — prefer official channels. If any of these points worry you, inspect the npm package contents manually before installing and run commands yourself rather than letting the agent execute them autonomously.Like a lobster shell, security has layers — review code before you run it.
latestvk97dwjv9mdf9c7pwcmpnj4je0x84hx8p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🤖 Clawdis
Binsopclawtm
Install
Install opclawtm CLI (npm)
Bins: opclawtm
npm i -g opclawtm