Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Task Automator
v1.0.0Automate repetitive computer tasks including file operations, data processing, web scraping, and API integrations. Use when you need to batch process files,...
⭐ 0· 256·1 current·1 all-time
byYinanping@yinanping-cpu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description and the included run_task.py align with file organization and data conversion capabilities. However, the SKILL.md advertises broader features (scheduling, workflows, API sync, e-commerce integrations) that are either placeholders in run_task.py or implemented by scripts referenced in the docs but not included in the bundle (e.g., schedule_task.py, run_workflow.py, convert_data.py, base_task). The examples live under tasks-examples/ while documentation refers to tasks/ which is inconsistent.
Instruction Scope
SKILL.md instructs running several scripts that do not exist in the package (schedule_task.py, run_workflow.py, convert_data.py, etc.). The provided run_task.py performs real file operations (shutil.move) and will move files under the user's home by default, which is expected for a file organizer but can be destructive if misconfigured. The docs also recommend storing API keys in environment variables, yet the code has placeholders for API/web/e‑commerce tasks and does not show how secrets would be used—this mismatch increases risk because users may supply credentials to workflows that are not fully implemented or audited.
Install Mechanism
There is no install specification (instruction-only with one code file). Nothing is downloaded or extracted during install, which minimizes supply-chain risk.
Credentials
The registry declares no required environment variables, but SKILL.md recommends using environment variables/.env for API keys and secrets. For real API or e‑commerce usage the skill will require credentials, but those are not documented as required in the metadata. This disconnect means credentials would be provided ad hoc (not scoped or validated), increasing risk if users supply high‑privilege keys without understanding where/how they are used.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It writes logs to a local logs/ directory and can create/move files/directories under user paths; that is expected behavior for an automation tool but should be used with caution.
What to consider before installing
Proceed cautiously. The package appears incomplete: SKILL.md references several scripts and a base_task that are not included, and API/e‑commerce features are placeholders. Before running: 1) Inspect the code (especially any scripts that perform file operations) and test with --dry-run on non-critical directories; 2) Don’t provide real API credentials or schedule jobs until you have the missing workflow/scheduler code and have reviewed how secrets are used; 3) Run the tool in a sandbox or VM first to observe behavior; 4) Ask the publisher for the complete source (schedule_task.py, run_workflow.py, convert_data.py, base_task, tasks/ registry) and for clarification on how API keys will be handled. If you need production API/e‑commerce automation, prefer a package that documents required credentials and includes the referenced scripts.Like a lobster shell, security has layers — review code before you run it.
latestvk976xvgngx0f933typa5c4v6ns82f5wk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.