ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Daily to Goal AI Coach

v0.1.1

Daily to Goal AI Coach — 在 ClawHub / OpenClaw 中一键安装,自动开通 Daily to Goal 工作空间,通过对话完成目标管理、任务追踪、贡献记录、每日摘要与团队周报的完整闭环。支持个人模式与团队模式,安装全程在 IM 渠道(Telegram 等)对话内完成,无需跳转网页。

0· 114·0 current·0 all-time
byXiao Ke@xiaoke-bot

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for xiaoke-bot/daily-to-goal-ai-coach.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Daily to Goal AI Coach" (xiaoke-bot/daily-to-goal-ai-coach) from ClawHub.
Skill page: https://clawhub.ai/xiaoke-bot/daily-to-goal-ai-coach
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install daily-to-goal-ai-coach

ClawHub CLI

Package manager switcher

npx clawhub@latest install daily-to-goal-ai-coach
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill description promises a hosted workspace, automated daily/weekly triggers, and IM-based installation. That functionality legitimately requires a backend service (web endpoints, a database, and secrets). However the published package is instruction-only with no server code or install spec, while skill.json declares an entrypoint (/api/skill-gateway) and installation endpoints. This is internally inconsistent: either the skill is just documentation for a separate service, or the package is incomplete.
!
Instruction Scope
SKILL.md describes an IM-only install flow and refers to a '.env.example', but does not give concrete deployment steps. README explicitly requires calling /api/skill-gateway/installations/start and /complete and lists required env vars (DATABASE_URL, SKILL_GATEWAY_BASE_URL, CLAWHUB_INSTALLATION_SECRET, WEB_ORIGIN). The instructions therefore implicitly expect the agent/user to host accessible HTTP endpoints and provide database credentials — none of which are provided or automated by this package. That scope creep (needing hosted endpoints and secrets) is not surfaced in the registry metadata.
Install Mechanism
There is no install spec (instruction-only), so nothing is written to disk by the platform. That reduces immediate supply-chain risk. However because runtime behavior requires a separately hosted service, the real install risk depends entirely on where the user will host the service and what code they deploy (which is not included here).
!
Credentials
Registry metadata lists no required env vars, but README documents several sensitive variables: DATABASE_URL (Postgres connection), CLAWHUB_INSTALLATION_SECRET (shared secret), SKILL_GATEWAY_BASE_URL and WEB_ORIGIN. Those are plausible for a web-backed workspace/automation service, but the mismatch between declared requirements (none) and README is a red flag. Users should not supply database credentials or shared secrets to an opaque/incomplete package without knowing who runs the service and reviewing the code.
Persistence & Privilege
always is false (normal) and the skill is user-invocable. Autonomous invocation is allowed (default) but there is no shipped code to act on that. The main persistence/privilege concern is that the skill's operation would require long-lived credentials (DB URL and an installation secret). Granting those to an unknown or unreviewed backend would be high-risk.
What to consider before installing
Do not install or provide secrets yet. The package is missing the server code that skill.json and the README refer to — it expects hosted endpoints (/api/skill-gateway/*) and sensitive environment variables (DATABASE_URL, CLAWHUB_INSTALLATION_SECRET, SKILL_GATEWAY_BASE_URL, WEB_ORIGIN). Before proceeding, ask the publisher for: (1) full source code for the backend that implements the /api/skill-gateway endpoints; (2) a trustworthy homepage or repository and release artifacts; (3) clear deployment instructions showing where data will be stored and who operates the service; and (4) privacy/data-flow details (what user/IM data is stored or sent elsewhere). If you must test, do so in an isolated environment (no production DB credentials) and never hand over real DB URLs or shared secrets to an unverified/opaque service. Providing those to an unknown backend could expose your data and permit privilege escalation.

Like a lobster shell, security has layers — review code before you run it.

latestvk972k04m9d9hb3ce9tat79kdd583aymv
114downloads
0stars
1versions
Updated 1mo ago
v0.1.1
MIT-0
Xiao Ke@xiaoke-bot
latest
Download

Daily to Goal AI Coach

Daily to Goal 的一键式 AI Skill。安装后自动开通工作空间,通过对话完成目标与任务闭环管理。

功能

  • 对话式目标创建,引导补齐 SMART 要素
  • 任务创建时自动检测目标关联并建议绑定
  • 任务完成后追问贡献结果并回写目标进展
  • 工作日每日摘要(09:00 自动推送)
  • 每周周报草稿生成
  • 团队风险提醒

安装引导

安装全程在 IM 渠道对话内完成,无需打开电脑或跳转网页:

  • 新用户:Bot 引导完成工作空间创建,通过 IM 身份直接绑定账号
  • 已有账号:支持 API Token 绑定或邮箱验证码绑定

环境变量

参见 .env.example

Comments

Loading comments...