ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OmniFocus Automation

v1.0.0

Manage OmniFocus tasks, projects, and folders via Omni Automation. Use for task management, to-do lists, project tracking, GTD workflows, adding/completing/editing tasks, setting due dates, managing tags, and recurring tasks. Requires OmniFocus installed on macOS.

2· 2.7k·12 current·12 all-time
by@coyote-git
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the included JXA script which directly manipulates OmniFocus documents, projects, tasks, tags and repeat rules via the OmniFocus Automation APIs. The requested capabilities (task/project/tag manipulations) are consistent with the code and SKILL.md.
Instruction Scope
SKILL.md limits actions to OmniFocus operations and instructs running the bundled script. The implementation uses Application.currentApplication().doShellScript(...) to invoke osascript for AppleScript fallbacks; this is plausible for macOS automation but expands the set of operations the script can perform (shell and AppleScript execution). There are no instructions to read unrelated files or send data externally, but the use of shell/osascript means a malicious modification could execute arbitrary local commands — so inspect the AppleScript snippets in the code before trusting.
Install Mechanism
No install spec is provided (instruction-only with a bundled script), so nothing is downloaded or written by an installer. This lowers supply-chain risk; the only code is the included script.
Credentials
The skill declares no environment variables, no credentials, and no config paths. That is proportionate for a local OmniFocus automation utility.
Persistence & Privilege
The skill is not marked always:true and is user-invocable. It does not request persistent system-wide privileges in the metadata. It will require the user to grant macOS Automation access to OmniFocus (normal for this use case).
Assessment
This skill appears to do what it says: control OmniFocus via macOS automation. Before installing or running it, review the full scripts (scripts/omnifocus.js) yourself or have someone you trust inspect them. Pay attention to the AppleScript snippets executed via doShellScript/osascript (those can run shell commands). Only grant macOS Automation permissions to this script if you trust the source. Note that the package has no homepage and an unknown source/owner — lack of provenance increases risk; prefer skills from known authors or with a public repo you can inspect. If you need extra safety, run the script on a machine/profile with limited data or copy your OmniFocus data for backup before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bdcjagqkt3n3xe4kn0w61hx7zxvfz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments