Inbox to Action Closer
v1.1.0Orchestration skill that processes raw work-item data from Slack, GitHub, calendar, Notion, Trello, and email — supplied by the caller or by other OpenClaw t...
⭐ 0· 141·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (an orchestration/normalisation pipeline) matches what the code does: adapters that normalise Slack, GitHub, calendar, Notion, Trello, and email items, then dedupe/score/render. The skill declares no credentials, no required binaries, and the SKILL.md explicitly states it does not fetch external APIs. The provided source files reviewed implement only parsing, matching, scoring and rendering logic—no network or credential access was found in the reviewed files.
Instruction Scope
SKILL.md instructs the agent to accept raw JSON from callers/upstream tools and run the normalise→dedupe→score→render pipeline. The runtime instructions do not request reading arbitrary host files, accessing environment variables, or posting to external endpoints. Safety rules in SKILL.md explicitly forbid automatic writes and fabrication of items and insist on user confirmation for write actions. One repository doc (CLAUDE.md) contains governance/CLI guidance for humans working on the repo, but SKILL.md does not direct runtime agents to execute those governance commands.
Install Mechanism
No install spec is declared (instruction-only), which is low-risk. However, the skill bundle includes full TypeScript source, tests, package.json and package-lock.json. There is no external download/install-from-URL. If your platform executes bundled code (e.g., runs src/index.ts) ensure you control the execution environment; the package's devDependencies are typical test/build tools only.
Credentials
The skill declares no required environment variables or primary credential and the reviewed code does not read process.env or require secrets. Adapters expect caller-supplied JSON and do not include credential management or API connectors, consistent with the SKILL.md claim.
Persistence & Privilege
No elevated privileges requested. always is false, model invocation is allowed (platform default). The skill does not attempt to modify other skills or system-wide settings in the reviewed files.
Assessment
This skill appears internally consistent: it normalises, deduplicates, scores, and renders items supplied to it and does not request credentials or perform network calls in the reviewed files. Before installing or running it: 1) Review the remaining/truncated files (20 files were omitted in the listing) to confirm there are no hidden network calls or credential usage. 2) If your platform will execute the bundled code, run it in a sandboxed environment first (no access to host secrets or outbound network) and inspect any console outputs. 3) Supply only sanitized raw JSON from trusted upstream connectors (the skill assumes callers provide data). 4) Confirm the platform enforces the SKILL.md safety rules (no automatic writes) so that any write-back requires explicit user confirmation.Like a lobster shell, security has layers — review code before you run it.
latestvk9706g9bdnm75dx004sg4yzgth83kwv5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.