Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Quest Board
v0.1.0Visual project dashboard managing quests, priorities, progress, and infrastructure via quest-board-registry.json with build and init commands.
⭐ 0· 680·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the included scripts and assets: build.sh generates an HTML dashboard from quest-board-registry.json and init.sh scans the workspace to create a skeleton registry. The declared filesystem permission in claw.json matches the skill's need to read/write files.
Instruction Scope
SKILL.md directs the agent to run the included init and build scripts and to maintain a local quest-board-registry.json. init.sh scans the workspace for Markdown files (excluding some known files/dirs) to auto-generate entries — this is expected for discovery, but it does mean the skill reads many workspace files. The generated HTML embeds the registry JSON directly into a JS variable (const REG=__REGISTRY_DATA__); because registry content is injected into the page, malicious or untrusted content in the registry could alter page behavior when the HTML is opened locally (risk of XSS-like effects in the browser).
Install Mechanism
No install spec or external downloads; this is an instruction-only skill with included shell scripts and static HTML template. Nothing is fetched from remote sources and no archives are extracted.
Credentials
No required environment variables or credentials are declared. The scripts accept optional environment variables (QUEST_BOARD_TITLE, QUEST_BOARD_WORKSPACE) which are reasonable and limited in scope.
Persistence & Privilege
always:false and normal agent invocation settings. The skill writes only its own registry file and output HTML in the workspace and does not modify other skills or global agent config.
Assessment
This skill appears to do exactly what it claims: scan your workspace for Markdown files (to build a registry), generate a local JSON registry file, and render an interactive HTML dashboard. Before installing or running it: 1) review the generated quest-board-registry.json (it will be created/updated in your workspace) and don't include sensitive files in the registry; 2) be aware the dashboard embeds the registry JSON directly into the HTML — opening the page runs its script against that data, so avoid loading untrusted registry content; 3) the UI provides buttons that copy file paths to clipboard and open file:// directories in your browser — these are expected features but they expose local paths and may be blocked by some browsers; and 4) because init.sh scans many folders, run it in a workspace you trust or run it manually after review. If you want to harden: run init.sh in a disposable workspace copy, or modify build.sh to JSON-serialize/escape the registry before embedding to reduce injection risk.Like a lobster shell, security has layers — review code before you run it.
latestvk975vy5h1565feszbbtwt8mz5d81e0zy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.