Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
踏实执行工作法
v3.2.0强调逐步、完整且持续执行任务,确保言行一致、无遗漏,并通过三方监督保障质量和可靠性。
⭐ 0· 57·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (enforce disciplined execution) aligns with the SKILL.md content (checks, heartbeats, verification, 3-agent supervision). However the runtime requirements implied by the instructions (writing persistent files, scheduling timers/cron, calling external APIs/tools) are not reflected in the declared requirements (no env vars, no config paths, no binaries). That mismatch suggests the skill expects capabilities it did not declare.
Instruction Scope
The SKILL.md instructs agents to: perform silent pre-response checks, call tools when action verbs appear, persist a pending-queue to tasks/pending-queue.md or HEARTBEAT, set HEARTBEAT trigger times (to enable '5 minute' reports), retry API calls, and use cron/sessions. Those are concrete system actions (file I/O, timers, API calls) and go beyond simple guidance; they also require access to state and external services. The instructions do not constrain what data is persisted nor specify safe storage paths or required credentials.
Install Mechanism
No install spec and no code files beyond documentation — lowest install risk. Nothing is downloaded or installed by the skill itself.
Credentials
The skill declares no required env vars or credentials, yet it refers to tools and APIs (feishu_doc example, sessions tool, cron, HEARTBEAT persistence) that typically require credentials and configuration. Requiring persistent storage and cross-session timers without declaring config or permission needs is disproportionate and opaque.
Persistence & Privilege
The skill mandates persistent behaviors (write HEARTBEAT, pending-queue files, cron-like scheduling) and asserts it is a 'must-follow' iron law for all agents, but metadata does not mark always:true and does not declare config paths. This creates a gap between the enforced runtime behavior (persistent state, automatic actions) and declared privileges. If the agent environment allows file writes/cron or background notifications, the skill would cause cross-session persistence without having declared it.
What to consider before installing
This skill is an instruction-only policy that tries to make agents persist state (tasks/pending-queue.md, HEARTBEAT), run scheduled/automatic reports (cron/5-minute heartbeats), and call tools/APIs when it detects 'action' words. That behavior requires filesystem access, timers, and possibly external API credentials — none of which are declared. Before installing or enabling this skill: 1) confirm where HEARTBEAT and pending files would be stored and that those paths are safe (not /etc, home, or other sensitive locations); 2) verify which tool integrations (Feishu, sessions, cron) the agent will actually call and what credentials they need; 3) prefer running it in a sandboxed agent or restrict its permissions (no background timers, no writes outside a controlled data directory); 4) ask the author to declare required env/config and to provide explicit safeguards for persisted data and external calls. The mismatch between declared requirements and the instructions is a legitimate reason to pause or sandbox it.Like a lobster shell, security has layers — review code before you run it.
agent-managementvk97f2650xnwz8vwc8spk9rvhgn84pgdxexecutionvk97f2650xnwz8vwc8spk9rvhgn84pgdxiron-lawvk97f2650xnwz8vwc8spk9rvhgn84pgdxlatestvk97f2650xnwz8vwc8spk9rvhgn84pgdxproductivityvk97f2650xnwz8vwc8spk9rvhgn84pgdx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.