Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Research Tracker
v0.1.0Manage and track autonomous AI research projects with state logging, instruction queues, agent coordination, and progress monitoring via SQLite.
⭐ 1· 2.9k·14 current·14 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
SKILL.md describes a local CLI (research) that manages SQLite state for coordinating autonomous agents — this matches the skill name/purpose. However, the registry metadata lists no required binaries or config paths while the instructions clearly require installing a 'research' binary and will use ~/.config/research-tracker/research.db. That metadata/instruction mismatch should be clarified.
Instruction Scope
Instructions are narrowly scoped to installing/running the 'research' CLI, logging events, heartbeats, checking for instructions, and using a local SQLite DB. The SKILL.md does not instruct the agent to read arbitrary unrelated files or to exfiltrate data. It does reference exporting RESEARCH_SESSION_ID (and implies SESSION_KEY) which could be sensitive, so care is needed when setting session environment variables.
Install Mechanism
There is no formal install spec in the registry, but the SKILL.md tells users/agents to 'brew tap 1645labs/tap' and 'brew install julians-research-tracker' or 'go install github.com/1645labs/julians-research-tracker/cmd/research@latest'. Both commands fetch and install code from third-party sources (unknown tap/org). Homebrew taps and go installs can execute arbitrary code; this is the highest-risk area and should be audited or replaced with verified release artifacts/checksums.
Credentials
The skill declares no required environment variables, but the docs reference RESEARCH_SESSION_ID (and SESSION_KEY) for tracking agent sessions. The local DB path (~/.config/research-tracker/research.db) is also used. Requested environment access is minimal and consistent with purpose, but the mismatch between declared and referenced env vars should be fixed and SESSION_KEY may be sensitive—avoid exporting secrets without review.
Persistence & Privilege
The skill does not request elevated privileges or an 'always' presence. It will create and persist a local SQLite DB in the user's home config directory and run migrations; that persistent local state is expected for this tool but you should be aware it will store events and state on disk.
What to consider before installing
This skill appears to be a wrapper around a local CLI that tracks agent work in a SQLite DB — functionally coherent. However: (1) the SKILL.md tells you to add an unknown Homebrew tap and to go install code from github.com/1645labs — review that repository and the brew tap contents before installing; these sources can run arbitrary code. (2) The registry metadata omits required binaries/env/config that the instructions use (research binary, RESEARCH_SESSION_ID, and ~/.config/research-tracker/research.db) — ask the publisher to fix metadata. (3) Treat SESSION_KEY and RESEARCH_SESSION_ID as potentially sensitive; avoid exporting secrets into long-lived environment variables unless you understand what they contain. (4) Prefer installing from a verified release (checksums, signed releases), run initial installs in an isolated environment (VM/container), and inspect the code/migration scripts before running migrations. If you cannot audit the tap/repo, consider this a risk and do not install on a sensitive machine.Like a lobster shell, security has layers — review code before you run it.
latestvk97451m7xp4j9saz0mhe10xpan7zxxr0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.