Delegate Task

v1.0.0

Delegate tasks to OpenSpace — a full-stack autonomous worker for coding, DevOps, web research, and desktop automation, backed by an extensive MCP tool and sk...

⭐ 0· 46·2 current·2 all-time

by@tcbywing

Security Scan

Capability signals

Requires sensitive credentials

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

Name and description match the behaviour described in SKILL.md (delegation to an external MCP with tools to search, execute, fix, and upload skills). However, the skill assumes connectivity to a cloud MCP and the presence of a cloud API key for search/upload operations but declares no required environment variables or endpoints. That omission is an incoherence: legitimate cloud integration would normally declare which credential(s) are needed and/or which endpoint is used.

Instruction Scope

The instructions direct the agent to read and write local skill directories (skill_dir paths), auto-download cloud skills locally (auto_import), and upload local directories to a community cloud. Those operations involve filesystem access and network transfer of potentially sensitive code/data. The SKILL.md gives broad discretion to 'decide whether to upload' evolved skills but provides no guardrails for excluding secrets or sensitive files, nor does it name the cloud endpoint or credential variable(s). This broad, underspecified scope increases risk of accidental exfiltration.

✓

Install Mechanism

This is an instruction-only skill with no install spec and no code files, so there is no installer or archive to fetch. The install surface is minimal; the main risk comes from runtime actions (downloads/uploads), not from an installer.

Credentials

SKILL.md references a 'cloud API key' and fallback behavior when no API key is present, but requires.env and primary credential fields are empty. The skill therefore fails to declare the credentials it will need at runtime. Because it can upload local directories to the cloud, requesting an unspecified API key without naming scopes or constraints is disproportionate and ambiguous.

ℹ

Persistence & Privilege

The skill does not request always:true and uses the platform default allowing autonomous invocation. It will save evolved/fixed skills locally and can upload them to the community (persisting them externally). That behaviour is coherent with its purpose but is a significant privilege: it can create files and transmit them off-host. Users should be aware that uploads may be public unless visibility is set to private.

What to consider before installing

This skill delegates work to an external OpenSpace MCP and can download and upload local skill directories. Before installing or using it: (1) ask the publisher which cloud endpoint it talks to and which environment variable name(s) it expects for API keys; (2) prefer running it in a sandbox or with filesystem restrictions so only a dedicated skills folder (no sensitive files) is accessible; (3) disable or set search_scope to "local" if you don't want cloud lookups/imports; (4) if you must provide an API key, create a limited-scope key and avoid reusing broad credentials; (5) require manual review/confirmation before any upload and set upload visibility to private by default; (6) if the publisher cannot explain credential names, endpoints, and upload governance, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk979j7jpgv8edbd2m045cb57f1854tzt

46downloads

0stars

1versions

Updated 2d ago

v1.0.0

MIT-0

Delegate Tasks to OpenSpace

OpenSpace is connected as an MCP server. You have 4 tools available: execute_task, search_skills, fix_skill, upload_skill.

When to use

You lack the capability — the task requires tools or capabilities beyond what you can access
You tried and failed — you produced incorrect results; OpenSpace may have a tested skill for it
Complex multi-step task — the task involves many steps, tools, or environments that benefit from OpenSpace's skill library and orchestration
User explicitly asks — user requests delegation to OpenSpace

Tools

execute_task

Delegate a task to OpenSpace. It will search for relevant skills, execute, and auto-evolve skills if needed.

execute_task(task="Monitor Docker containers, find the highest memory one, restart it gracefully", search_scope="all")

Parameter	Required	Default	Description
`task`	yes	—	Task instruction in natural language
`search_scope`	no	`"all"`	Local + cloud; falls back to local-only if no API key
`max_iterations`	no	`20`	Max agent iterations — increase for complex tasks, decrease for simple ones

Check response for evolved_skills. If present with upload_ready: true, decide whether to upload (see "When to upload" below).

{
  "status": "success",
  "response": "Task completed successfully",
  "evolved_skills": [
    {
      "skill_dir": "/path/to/skills/new-skill",
      "name": "new-skill",
      "origin": "captured",
      "change_summary": "Captured reusable workflow pattern",
      "upload_ready": true
    }
  ]
}

search_skills

Search for available skills before deciding whether to handle a task yourself or delegate.

search_skills(query="docker container monitoring", source="all")

Parameter	Required	Default	Description
`query`	yes	—	Search query (natural language or keywords)
`source`	no	`"all"`	Local + cloud; falls back to local-only if no API key
`limit`	no	`20`	Max results
`auto_import`	no	`true`	Auto-download top cloud skills locally

fix_skill

Manually fix a broken skill.

fix_skill(
  skill_dir="/path/to/skills/weather-api",
  direction="The API endpoint changed from v1 to v2, update all URLs and add the new 'units' parameter"
)

Parameter	Required	Description
`skill_dir`	yes	Path to skill directory (must contain SKILL.md)
`direction`	yes	What's broken and how to fix — be specific

Response has upload_ready: true → decide whether to upload.

upload_skill

Upload a skill to the cloud community. For evolved/fixed skills, metadata is pre-saved — just provide skill_dir and visibility.

upload_skill(
  skill_dir="/path/to/skills/weather-api",
  visibility="public"
)

For new skills (no auto metadata — defaults apply, but richer metadata improves discoverability):

upload_skill(
  skill_dir="/path/to/skills/my-new-skill",
  visibility="public",
  origin="imported",
  tags=["weather", "api"],
  created_by="my-bot",
  change_summary="Initial upload of weather API skill"
)

Parameter	Required	Default	Description
`skill_dir`	yes	—	Path to skill directory (must contain SKILL.md)
`visibility`	no	`"public"`	`"public"` or `"private"`
`origin`	no	auto	How the skill was created
`parent_skill_ids`	no	auto	Parent skill IDs
`tags`	no	auto	Tags
`created_by`	no	auto	Creator
`change_summary`	no	auto	What changed

When to upload

Situation	Action
Skill was originally from the cloud	Upload back as `"public"` — return the improvement to the community
Fix/evolution is generally useful	Upload as `"public"`
Fix/evolution is project-specific	Upload as `"private"`, or skip
User says to share	Upload with the visibility the user wants

Notes

execute_task may take minutes — this is expected for multi-step tasks.
upload_skill requires a cloud API key; if it fails, the evolved skill is still saved locally.
After every OpenSpace call, tell the user what happened: task result, any evolved skills, and your upload decision.

Comments

Loading comments...