by 安全扫描
OpenClaw
可疑
high confidenceNULL
评估建议
Do not deploy this skill to production yet. The package has several internal inconsistencies that make its real behavior unclear: package.json points to index.js but index.js is missing; example code requires './index' but no entrypoint is present; the metadata lists python3 as a required binary although the code is JavaScript; OPENCLAW_WORKSPACE is declared required but isn’t referenced in the visible source. What to do before installing: 1) Ask the author/source for the missing index.js and a ...详细分析 ▾
⚠ 用途与能力
Name/description (agent team management) matches the included JS modules (task allocation, tracking, quality, performance). However metadata and files diverge: package.json declares main: "index.js" but no index.js is present in the file manifest; example usage requires './index'. The manifest lists many JS modules but no entrypoint/exports, so it's unclear how the package is intended to be executed or integrated. Declared binary requirement 'python3' is not justified by the provided JavaScript source. These mismatches reduce confidence that required items are proportionate to the stated purpose.
ℹ 指令范围
SKILL.md describes local-only operation, Git integration, and workspace-based operation; its usage examples pass workspace paths explicitly. The SKILL.md's runtime instructions do not ask the agent to read unrelated system files or exfiltrate secrets. However the doc declares OPENCLAW_WORKSPACE as required env but the visible code does not reference process.env.OPENCLAW_WORKSPACE (no file in the included snippets uses that env), and example tasks mention analyzing an external QQ mailbox — an integration not implemented in the visible code. The instructions are generally scoped to team-management tasks but give the agent some latitude (e.g., 'works with Git') without concrete implementation details.
ℹ 安装机制
No install specification is provided (instruction-only), which is low risk, but the bundle actually contains multiple source files and a publish.sh. The presence of code + package.json without an install/build spec or entrypoint is an inconsistency. There is no remote download or extract step flagged. Overall installation behavior is unclear because required runtime binaries are declared but no install script uses them; that unpredictability is worth caution.
⚠ 凭证需求
Declared required env var: OPENCLAW_WORKSPACE (reasonable for a workspace-based manager). But the provided code snippets do not reference process.env.OPENCLAW_WORKSPACE or other environment variables, suggesting a mismatch between declared requirements and actual behavior. Declared required binaries include python3, but visible code is Node.js and does not call Python; git is listed (SKILL.md says it integrates with Git) but the code does not show git invocation. This disparity could indicate incomplete packaging or inaccurate metadata — both reduce transparency and raise risk because the real runtime needs aren't verifiable from the bundle.
✓ 持久化与权限
Skill does not request always:true and does not claim to modify other skills or system-wide settings. No install spec attempts to create persistent system services. The code shown performs in-memory data management and logging; there are no obvious attempts to persist credentials or change agent configuration beyond its own structures.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/4
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install ai-agent-team-manager
镜像加速npx clawhub@latest install ai-agent-team-manager --registry https://cn.longxiaskill.com