ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw Timebox

v2.7.0

基于潘农菲翻译的《时间盒》,为 OpenClaw 打造的全天任务执行系统。早晨用一段对话规划全天、讨论优先级、锁定时间盒;执行时 AI 完全不打扰;每盒结束做 30 秒快速收集;全天结束生成每日总结并自动同步到 Flomo、Notion 等工具。支持苹果日历、飞书、Google 日历自动占位,以及将时间盒任务双向...

0· 138·0 current·0 all-time
byVincent ZHANG@vinile
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill declares calendar, log, and task-sync integrations (Apple Calendar, Feishu, Google, TickTick, dida365, Notion, Flomo, etc.) and the SKILL.md and included ticktick_auth.py only request credentials/config related to those services. Required binaries/env are none by default; optional third‑party CLIs (dida-cli) are only requested if the user opts into that specific integration.
Instruction Scope
The runtime instructions ask the agent to read/write local config files (e.g., ~/.config/timebox/ticktick.json and EXTEND.md), run small helper scripts, and optionally install/run third‑party CLIs. Those actions are within the scope of integrating calendars and task services, but they do instruct the user/agent to create files containing client credentials and tokens—this is expected for OAuth flows but worth user attention.
Install Mechanism
There is no automated install spec (instruction-only skill). The only install action suggested is npm install -g @suibiji/dida-cli when the user opts into the China-specific dida365 integration; installing a global npm package is reasonable for that option but carries the usual trust/risk tradeoffs for third‑party packages.
Credentials
No environment variables or unrelated credentials are required by default. Credentials/tokens are requested only for services the user explicitly chooses (TickTick, Feishu, Google, Notion, Flomo, etc.). The ticktick_auth.py helper stores OAuth tokens locally (~/.config/timebox/ticktick.json), which is appropriate for a local OAuth flow.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide configuration changes. It writes its own config/token files under the user's home directory when integrations are enabled (normal behavior). It does not request to modify other skills or global agent settings.
Assessment
This skill appears coherent for a timebox workflow that syncs with calendars and task/log services. Before installing: 1) Only provide OAuth client_id/client_secret or API tokens for services you intend to use; do not paste unrelated secrets. 2) Expect the skill to write tokens/config under ~/.config/timebox and EXTEND.md under your home or project; review those files for sensitive content. 3) If opting into dida365, installing a global npm package (npm install -g @suibiji/dida-cli) is required—treat that package like any third‑party tool (check its source and reputation). 4) The included ticktick_auth.py uses a local callback server to perform standard OAuth; verify the file contents before running. 5) If you need higher assurance, run the OAuth steps manually (use official provider consoles) and keep tokens in a secure store rather than pasting them into long-lived plain files.

Like a lobster shell, security has layers — review code before you run it.

cprvk974dk9akgcph34hkhvn4vdcbx83fgx4dida365vk976bnhfs0rpx4mqhqs6k6g8x983nr6nlatestvk976bnhfs0rpx4mqhqs6k6g8x983nr6nopenclawvk97c7sksdbe3j3kq9xn5vwn0rd83m0rkproductivityvk976bnhfs0rpx4mqhqs6k6g8x983nr6ntask-managementvk976bnhfs0rpx4mqhqs6k6g8x983nr6nticktickvk976bnhfs0rpx4mqhqs6k6g8x983nr6ntimeboxvk976bnhfs0rpx4mqhqs6k6g8x983nr6n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments