Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
task-manager
v1.0.0任务管理系统,用于记录、追踪和管理所有分配给助手的任务,支持持续性任务和一次性任务,记录任务状态、调用功能、权限和依赖软件。当需要管理任务记录、新增任务、查询任务状态或维护任务系统时使用。
⭐ 1· 171·1 current·1 all-time
bySimon Sun@quenfly
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the provided instructions and included script: the skill maintains a TASKS.md and updates statistics. Nothing in the package requests unrelated credentials or network access. However, the SKILL.md uses a hardcoded default file path (/Users/quenflysmac/.openclaw/workspace/TASKS.md) which is user-specific and odd for a generic skill; the package metadata does not declare any required config paths even though the skill expects to read/write a workspace file.
Instruction Scope
Runtime instructions require creating, reading and writing a TASKS.md file in the user's workspace and mandate automatic recording of new tasks (within 5 minutes). Those file I/O operations are within the stated purpose, but the SKILL.md gives a specific absolute path tied to a particular user account instead of a generic workspace location and does not instruct about permissions, backups, or confirming writes with the user — giving the skill automatic write duties that may surprise users.
Install Mechanism
No install spec or external downloads; the skill is instruction-only and includes a small local Node script (scripts/update-task-stats.js) that reads/writes the TASKS.md file. No network fetches or archive extraction are present.
Credentials
The skill declares no required environment variables or config paths, yet its runtime behavior expects filesystem access to a specific path under a user's home. The lack of declared config/permission requirements is a mismatch — the skill needs write/read permission to the workspace but does not document or request that explicitly.
Persistence & Privilege
The skill is not set to always:true and does not request elevated platform privileges. It will autonomously update a local file when invoked, which is consistent with its purpose. It does not modify other skills or global agent settings.
What to consider before installing
This skill appears to be a simple local task tracker that will create and update a TASKS.md file. Before installing: 1) Confirm where it will store TASKS.md — change the hardcoded path to a workspace-relative path to avoid writing into an unexpected home directory. 2) Review and run scripts/update-task-stats.js yourself to verify no unexpected behavior; it only reads/writes the provided file path but you should inspect it. 3) Ensure the agent is allowed to write to the chosen file and consider backups or version control for TASKS.md. 4) If you want prompts before automatic writes (the skill requires recording new tasks within 5 minutes), add explicit confirmation steps. These checks will reduce surprises from implicit filesystem writes.Like a lobster shell, security has layers — review code before you run it.
latestvk97escara053m0pcymsqn7afkx83vy97
License
MIT-0
Free to use, modify, and redistribute. No attribution required.