ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

redmine-tools

v1.0.0

Fetch, update, and summarize Redmine issue attachments from CLI.

1· 99·0 current·0 all-time
by@yinxianwei

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for yinxianwei/redmine-tools.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "redmine-tools" (yinxianwei/redmine-tools) from ClawHub.
Skill page: https://clawhub.ai/yinxianwei/redmine-tools
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install redmine-tools

ClawHub CLI

Package manager switcher

npx clawhub@latest install redmine-tools
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and description match the code: it fetches/updates Redmine issues and summarizes image attachments via an OpenAI-compatible API. However, the registry metadata claims no required environment variables or binaries while SKILL.md and the script clearly require REDMINE_* and OPENAI_* env vars and a Node runtime. That mismatch is unexpected and should be corrected.
!
Instruction Scope
The SKILL.md and script instruct the agent to: read REDMINE_BASE_URL and REDMINE_API_KEY from environment, download issue attachments from Redmine, convert images to data URLs, and POST them (with accompanying prompt/context) to the OPENAI_API_URL. This behavior is coherent with image summarization but it also means potentially sensitive attachments are transmitted to an external model endpoint — a clear exfiltration risk if the endpoint is untrusted. The instructions do not reference unrelated system files, so no other scope creep was found.
Install Mechanism
No install spec is provided (lowest install risk). However, the skill includes a Node.js script and expects it to be run via 'node scripts/redmine.js'. The registry's 'required binaries: none' is inconsistent with that expectation — Node.js must be available on PATH for the script to run.
!
Credentials
The SKILL.md requires REDMINE_BASE_URL and REDMINE_API_KEY and OPENAI_API_URL/OPENAI_API_KEY/OPENAI_MODEL/OPENAI_IMAGE_SUMMARY_PROMPT. These are proportionate to the stated functionality. But the registry metadata does not declare these required environment variables or a primary credential, which is a mismatch. Also, because the skill sends full image attachments (base64 data URLs) to the OpenAI-compatible endpoint, the OPENAI_API_URL and OPENAI_API_KEY effectively receive potentially sensitive data; users should ensure the model endpoint is trusted and that REDMINE_API_KEY has minimal privileges.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not modify other skills or system-wide settings. It requires no special persistent privileges beyond the runtime env vars and executing the script with the Node runtime.
What to consider before installing
Before installing or running this skill: - Expect to provide REDMINE_BASE_URL and REDMINE_API_KEY and OpenAI-compatible credentials; the registry metadata currently omits these — ask the publisher to correct that. - Node.js must be available to run scripts/redmine.js. - Understand that the 'image' command downloads attachments from Redmine and sends the full image (base64 data URL) to whatever OPENAI_API_URL you configure; only point this to a trusted model endpoint. If attachments may contain confidential data, do not send them to external/third-party services. - Verify the source code (no homepage/source provided) or run it in an isolated environment before using with production credentials. - Prefer using least-privilege API keys for Redmine and, if possible, an internal model endpoint or one with appropriate data-handling guarantees. If the publisher can correct the metadata (declare required env vars and the Node requirement) and provide a trustworthy source/homepage, that will reduce the ambiguity.
scripts/redmine.js:395
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d3e6d4r13vs43hj36qkendn83j7ss
99downloads
1stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@yinxianwei
latest
Download

Redmine Tools Skill

This skill provides a Node.js CLI to fetch, update, and summarize Redmine issues.

Command

node scripts/redmine.js get --id <issueId>
node scripts/redmine.js update --id <issueId> [--status_id <statusId>] [--notes <text>]
node scripts/redmine.js image --id <issueId>

Supported Flags

  • --id <issueId>: Required Redmine issue ID.
  • --include <fields>: Optional include fields. Defaults to attachments,journals.
  • --status_id <statusId>: Optional for update. New Redmine status ID.
  • --notes <text>: Optional for update. Journal note content.
  • At least one of --status_id or --notes must be provided for update.

Environment Variables

  • REDMINE_BASE_URL: Redmine base URL, for example https://redmine.example.com.
  • REDMINE_API_KEY: Redmine API key.
  • OPENAI_API_URL: OpenAI-compatible API base URL or full /chat/completions URL.
  • OPENAI_API_KEY: OpenAI-compatible API key.
  • OPENAI_MODEL: Model name used for image summarization.
  • OPENAI_IMAGE_SUMMARY_PROMPT: Prompt used to summarize each image attachment.

Behavior

  • get uses endpoint: /issues/:id.json with include=attachments,journals by default.
  • update uses endpoint: /issues/:id.json (HTTP PUT) and sends only the provided status_id and/or notes fields.
  • image fetches issue attachments, keeps supported image files, and summarizes each image through an OpenAI-compatible chat/completions API.
  • Reads base URL and API key from environment variables only.
  • Reads model URL, key, model name, and image summary prompt from environment variables.
  • Prints JSON output to stdout.
  • Returns non-zero exit code on errors.

Image Command Notes

  • Supported image types: png, jpg, jpeg, webp, gif.
  • Non-image or unsupported attachments are skipped and reported in the output.
  • The command downloads each image attachment and sends it as a data URL to the model.
  • The model prompt can include your own formatting, tone, or output constraints.

Examples

export REDMINE_BASE_URL=https://redmine.example.com
export REDMINE_API_KEY=xxxx
export OPENAI_API_URL=https://api.openai.com/v1
export OPENAI_API_KEY=xxxx
export OPENAI_MODEL=gpt-4.1-mini
export OPENAI_IMAGE_SUMMARY_PROMPT="Summarize what this image shows, explain its likely relevance to the issue, and keep the answer concise."

node scripts/redmine.js get --id 123
node scripts/redmine.js get --id 123 --include attachments,journals,watchers
node scripts/redmine.js update --id 123 --status_id 3 --notes "Issue fixed and verified"
node scripts/redmine.js update --id 123 --status_id 3
node scripts/redmine.js update --id 123 --notes "Need more logs from QA"
node scripts/redmine.js image --id 123

Comments

Loading comments...