ClawHub

Team Status Tracker

v1.0.3

Systematic team status tracking via Slack DMs with confidential Obsidian-based internal tracking. Maintains confidentiality while gathering actionable projec...

0· 343·2 current·2 all-time
by@parthpandya1729
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims Slack and Obsidian integration and the SKILL.md metadata lists required skills ['slack','obsidian'], which explains why it itself doesn't list Slack tokens. However, the skill does not declare any credentials or explicitly state how Slack/Obsidian access is provided. It also hardcodes an absolute default obsidian_path (/root/life/pkm/daily-status) which is unexpected for a general-purpose skill and may not be appropriate for most users. Overall plausible but under-specified.
!
Instruction Scope
The instructions tell the agent/operator to send personalized Slack DMs, monitor replies, follow up, and maintain confidential behavioral-tracking notes in Obsidian. They explicitly instruct creating and persisting files, documenting non-responders and behavioral observations, and include templates for automated reminders. That scope goes beyond a benign 'status template' helper: it instructs ongoing monitoring and storage of potentially sensitive personnel behavior data. It also references writing to .openclaw/workspace and to an absolute /root path—actions that require filesystem access and could produce long-lived private records.
Install Mechanism
Instruction-only skill with no install spec and no code files to execute. This minimizes direct installation risk—nothing in the bundle downloads or executes external binaries. The runtime behavior depends on other installed skills (slack, obsidian).
Credentials
The skill requests no environment variables or credentials itself, which is consistent with being an instruction-only wrapper that expects 'slack' and 'obsidian' skills to provide access. However, the included default config and templates use absolute filesystem paths (e.g., /root/...) and specify retention policies (keep_history_days: 90). Those defaults are disproportionate if applied without review because they assume write access to top-level filesystem locations and long-lived storage of sensitive behavioral data. Also, because the skill expects Slack automation, verify where Slack tokens will be stored and which skill will actually send messages.
Persistence & Privilege
always:false and no install components — the skill does not force permanent inclusion. However, the instructions assume the agent (or other skills) will autonomously send periodic reminders and write tracking files. If the agent is allowed to invoke skills autonomously, this could result in continuous monitoring/DMing. Consider the automation policy and consent implications before enabling autonomous runs.
What to consider before installing
Key points to check before installing/using: - Credentials & dependencies: The skill itself declares no Slack or Obsidian credentials; it depends on other skills to provide those. Confirm which 'slack' and 'obsidian' skills will be used, where they store tokens, and who can access them. - Filesystem defaults: The provided config/template defaults point at /root and .openclaw workspace paths. Change obsidian_path to a safe, intended directory in your user workspace and confirm permissions before storing confidential notes. - Privacy & consent: The templates encourage confidential behavioral tracking and non-responder lists. Ensure this matches your company policies and legal/Human Resources guidance — covert tracking of staff can be legally and ethically problematic. - Automation scope: Because the instructions describe automated checks and reminders, make sure automation is explicit, rate-limited, and tested in a non-production environment to avoid spamming team members. - Audit other skills: Review the 'slack' and 'obsidian' skills that will be used in conjunction with this one. The real security/privilege footprint (message sending, file writes, credential storage) lives with those skills, not this instruction-only package. If you proceed, sanitize default paths, set conservative retention (or manual purge), require explicit consent for behavioral notes, and test in a sandboxed workspace first.

Like a lobster shell, security has layers — review code before you run it.

latestvk971mbfq58ce9ccmdb0hqgbwsx81ymgd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments