ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SourceHarbor Watchlist Briefing

v1.0.0

Use SourceHarbor watchlists, briefings, Ask, MCP, and HTTP API to answer one question with current story context and evidence.

0· 135·0 current·0 all-time
byYifeng[Terry] Yu@xiaojiou176

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for xiaojiou176/sourceharbor-watchlist-briefing.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "SourceHarbor Watchlist Briefing" (xiaojiou176/sourceharbor-watchlist-briefing) from ClawHub.
Skill page: https://clawhub.ai/xiaojiou176/sourceharbor-watchlist-briefing
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install sourceharbor-watchlist-briefing

ClawHub CLI

Package manager switcher

npx clawhub@latest install sourceharbor-watchlist-briefing
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill is clearly an operator briefing card for SourceHarbor and its instructions (use MCP or HTTP API to load a watchlist/briefing and cite evidence) align with that purpose. However, the skill metadata declares no required environment variables or credentials while the runtime instructions expect variables like SOURCE_HARBOR_API_BASE_URL, WATCHLIST_ID and SOURCE_HARBOR_MCP_STATUS. That mismatch between declared requirements and the actual workflow is an incoherence to resolve.
Instruction Scope
SKILL.md confines the agent to loading watchlist/briefing data, evidence lookup, and returning structured outputs and guardrails (do not invent evidence). It instructs use of local MCP or local HTTP API endpoints (curl to /api/v1/...), which is appropriate for this use case. The instructions also include human-facing setup steps (git clone, run ./bin/dev-mcp) — useful but these ask a human to run local binaries and set env vars, so they should not be executed blindly by an operator or automated installer.
Install Mechanism
There is no automated install spec (instruction-only), which reduces immediate risk. However references/INSTALL.md recommends cloning https://github.com/xiaojiou176-open/sourceharbor.git and running ./bin/dev-mcp. That points to a third‑party GitHub repo (not declared/verified in metadata). While the guidance is local/manual, following it would install and run code from an unvetted source — a higher-risk action that the user should validate first.
!
Credentials
The skill requests no credentials in its manifest, but the runtime instructions reference runtime inputs and env vars (SOURCE_HARBOR_API_BASE_URL, WATCHLIST_ID, SOURCE_HARBOR_MCP_STATUS, and local path substitutions). The manifest should declare these as required env/config items. There are no requests for cloud keys or secrets in the instructions, but the metadata mismatch (undeclared envs and local config edits) makes the runtime privilege/requirements unclear and is a proportionality concern.
Persistence & Privilege
The skill is instruction-only, has no install step that would write to disk at install time, and does not request always:true or other elevated persistence. Example config snippets are provided for users to add to their MCP config, but the skill itself does not force persistent agent changes.
What to consider before installing
This skill appears to be a legitimate operator briefing card for a local SourceHarbor service, but there are inconsistencies you should clear up before installing or running anything: (1) The manifest declares no required env vars, yet SKILL.md expects SOURCE_HARBOR_API_BASE_URL and other runtime inputs — ask the author to declare these explicitly. (2) The install guidance tells you to clone and run code from https://github.com/xiaojiou176-open/sourceharbor.git; treat that as untrusted until you review the repo contents and author provenance. (3) Do not run ./bin/dev-mcp or any binaries from an unknown repo on production systems; run them in an isolated environment first. (4) Confirm whether your platform will actually provide MCP access or local HTTP access to 127.0.0.1:9000 and whether any credentials are required. If you cannot validate the repository and the missing manifest declarations, proceed cautiously or prefer an officially published SourceHarbor package.

Like a lobster shell, security has layers — review code before you run it.

briefingvk974tw711eg8xg713whtap0e4184gsa5latestvk974tw711eg8xg713whtap0e4184gsa5mcpvk974tw711eg8xg713whtap0e4184gsa5operatorvk974tw711eg8xg713whtap0e4184gsa5sourceharborvk974tw711eg8xg713whtap0e4184gsa5watchlistvk974tw711eg8xg713whtap0e4184gsa5
135downloads
0stars
4versions
Updated 2w ago
v1.0.0
MIT-0
Yifeng[Terry] Yu@xiaojiou176
briefinglatestmcpoperatorsourceharborwatchlist
Download

SourceHarbor Watchlist Briefing

Use this skill when you want OpenClaw to inspect one SourceHarbor watchlist and answer a question with the current story and evidence context.

Think of it as an operator briefing skill card:

  • it teaches the agent the workflow
  • it names the MCP/HTTP setup needed
  • it shows which SourceHarbor capabilities matter
  • it keeps the answer evidence-backed and operational

Goal

  • start from one watchlist
  • reuse the current briefing or story payload
  • answer one operator question
  • cite the evidence used
  • return one concrete next action

Runtime you need

  • one connected SourceHarbor MCP server, or
  • one running SourceHarbor HTTP API at SOURCE_HARBOR_API_BASE_URL
  • if either still needs wiring, use references/INSTALL.md

Exposed MCP abilities

This skill is built around these SourceHarbor capability groups:

  • health
  • retrieval / Ask-style evidence lookup
  • jobs and compare views
  • artifacts and reports
  • workflows, subscriptions, and notifications when the question is really about operator state

Use references/CAPABILITIES.md for the concrete tool map.

Inputs To Fill In

  • WATCHLIST_ID: the watchlist you want to inspect
  • QUESTION: the question you want answered
  • SOURCE_HARBOR_API_BASE_URL: the SourceHarbor API base URL when MCP is not wired
  • SOURCE_HARBOR_MCP_STATUS: whether SourceHarbor MCP is already connected

Workflow

Use the strongest available path in this order:

  1. SourceHarbor MCP, if it is already connected
  2. SourceHarbor HTTP API at SOURCE_HARBOR_API_BASE_URL
  3. SourceHarbor web routes only as visible proof surfaces

Required steps:

  1. Load the watchlist object.
  2. Load the current watchlist briefing or briefing page payload.
  3. Identify the selected story and the recent changes.
  4. Answer QUESTION using that story context.
  5. Return:
    • Current story
    • What changed
    • Evidence used
    • Suggested next operator action

Output contract

Return:

  • current_story
  • what_changed
  • evidence_used
  • suggested_next_action
  • runtime_gap if MCP or HTTP access was partial

Guardrails

  • Do not pretend SourceHarbor is a hosted SaaS.
  • Do not turn sample/demo surfaces into live-proof claims.
  • Do not answer without evidence.
  • If MCP or HTTP access is partial, say so clearly instead of filling gaps.

Companion references

  • README.md
  • references/README.md
  • references/INSTALL.md
  • references/OPENHANDS_MCP_CONFIG.json
  • references/OPENCLAW_MCP_CONFIG.json
  • references/CAPABILITIES.md
  • references/DEMO.md
  • references/TROUBLESHOOTING.md

Comments

Loading comments...