Back to skill
Skillv1.0.0
ClawScan security
Department Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 15, 2026, 7:53 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements align with its stated purpose: it manages local department/task state in a JSON file and does not request credentials or perform network/exfiltration actions.
- Guidance
- This skill appears coherent and local-only, but check these before installing: (1) Inspect the included script yourself (it’s small and readable) to confirm it meets your expectations. (2) Be aware it stores all department and task data in ~/.openclaw/department-manager/departments.json (plaintext JSON) — avoid putting secrets or sensitive data into tasks or outputs. (3) If you prefer isolation, run with --data-dir pointed to a sandbox location. (4) The SKILL.md mentions model names but the script does not perform any network/API calls; integrating with remote LLM providers would require separate credentials/configuration outside this skill.
Review Dimensions
- Purpose & Capability
- okThe name/description describe multi-agent department/task management and the included Python script implements create/list/assign/status/complete/report/remove operations. Requiring python3 is appropriate and proportional.
- Instruction Scope
- noteSKILL.md directs use of the bundled script and documents CLI commands. The runtime instructions only read/write a local JSON data file (~/.openclaw/department-manager/departments.json) and do not reference other system files, credentials, or external network endpoints. Note: the skill stores task output locally (plain JSON), so sensitive content entered as task output will be persisted.
- Install Mechanism
- okNo install spec or remote downloads; this is an instruction-only skill with a bundled Python script. Nothing is fetched from third-party URLs or written to system locations beyond the user's home directory.
- Credentials
- okNo environment variables, credentials, or config paths are required. The recommended model strings in the README are informational only and the script does not attempt to use or authenticate to those services.
- Persistence & Privilege
- notealways:false (no forced inclusion). The script persists data to ~/.openclaw/department-manager/departments.json which is expected for this utility; it does not modify other skills or system-wide agent settings. Consider that persisted task outputs may contain sensitive information.