by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's instructions generally match its stated purpose (routing where to save content), but it contains several inconsistencies and privacy-risk instructions (reading an absolute .context file, referencing monday.com/GitHub usage without declaring required credentials, and recommending publishing SKILL.md) that warrant caution before installing.
评估建议
This skill is mostly coherent with its stated purpose (deciding where to save content) but has several practical and privacy concerns you should review before installing: 1) Check how your agent will authenticate to monday.com and GitHub — the skill does not declare or explain required credentials. 2) Inspect the .context file at /opt/ocana/openclaw/workspace/skills/storage-router/.context (if present) to see what variables/IDs/tokens it contains; do not allow the agent to source it unless you t...详细分析 ▾
ℹ 用途与能力
The name/description (route content to monday.com, local, or MEMORY.md) matches the SKILL.md guidance. However, the skill repeatedly references monday.com and GitHub (including concrete board/doc IDs and a rule to place certain files in a GitHub repo) but declares no required credentials or environment variables. That omission is an incoherence: to actually save to those services an agent typically needs API tokens/credentials, yet none are declared or documented here.
⚠ 指令范围
The SKILL.md tells the agent to source a local .context file at an absolute path (/opt/ocana/openclaw/workspace/skills/storage-router/.context). Reading/sourcing a file is legitimate for loading IDs, but it accesses the agent's filesystem and could expose any variables placed there. The doc also directs where to store/never store credentials and even suggests pushing SKILL.md to a public repo — instructions that could lead to accidental exposure of internal rules or IDs. The routing rules are opinionated and prescriptive, which is fine, but they give the agent authority to decide destinations and could cause unintended uploads to external services if credentials are available.
✓ 安装机制
This is instruction-only (no install spec, no code files), so nothing is written to disk by the skill itself. That is the lowest-risk install mechanism.
⚠ 凭证需求
The skill expects integration with monday.com and GitHub but lists no required env vars, primary credential, or config paths. Either the skill assumes the agent already has global credentials (not documented), or it will attempt to read them from local files (the .context file). Requiring access to external services without documenting needed tokens is disproportionate and potentially confusing. The guideline to keep credentials local is good, but the skill does not specify how those local secrets should be provided or protected (file permissions, encryption).
ℹ 持久化与权限
The skill is not marked always:true and is user-invocable; autonomous invocation is allowed (platform default). The SKILL.md expects persistent artifacts (memory, .context, GitHub), but the skill itself does not request elevated platform privileges. This is normal, but combined with the other concerns (filesystem sourcing and undocumented external integrations) it increases the need for auditing the .context file and the agent's global credentials.
安装前注意事项
- Check how your agent will authenticate to monday.com and GitHub — the skill does not declare or explain required credentials.
- Inspect the .context file at /opt/ocana/openclaw/workspace/skills/storage-router/.context (if present) to see what variables/IDs/tokens it contains; do not allow the agent to source it unless you trust its contents and file permissions.
- The skill recommends storing SKILL.md or other items in a (potentially public) GitHub repo — verify your publishing policy to avoid leaking internal rules or IDs.
- Consider requiring user confirmation before the agent forwards content to external services (monday.com/GitHub).
- If you cannot verify the source of the skill or the .context contents, avoid installing or restrict the skill to manual invocation only. If you want higher assurance, ask the publisher to: list required credentials, document precisely what .context fields are expected, and remove recommendations that could publish internal files to public repos.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/6
Initial publish from Heleni workspace
● 无害
安装命令 点击复制
官方npx clawhub@latest install storage-router
镜像加速npx clawhub@latest install storage-router --registry https://cn.clawhub-mirror.com
技能文档
Before saving anything, route it to the correct destination.
Decision Table
| Content Type | Destination | Notes |
|---|---|---|
| Competitor research | monday.com — Competitive Analysis doc | your monday.com workspace |
| Product briefs, strategy docs | monday.com — relevant doc | your monday.com workspace |
| Meeting notes | monday.com — Notetaker / item update | |
| Project tasks / tracking | monday.com — board item | |
| PA rules & preferences | MEMORY.md | Long-term only, distilled |
| Lessons learned | MEMORY.md | After 2+ repetitions |
| Daily event log | memory/YYYY-MM-DD.md | Raw log, not curated |
| WhatsApp conversation context | memory/whatsapp/groups/ or dms/ | Per-conversation, local |
| Cron state / job state | local JSON (data/ or inbox/) | Runtime state only |
| PA contact list | PA_LIST.md (local) | Source of truth for PA sync |
| Config / credentials | local only, never monday | Security |
| Skill files | workspace/skills/ | Never monday |
Persistent Layer Decision
| Layer | Best for | Why |
|---|---|---|
| GitHub (private repo) | Agent state, memory, skills, .context | Version history, automated backup, private |
| monday.com | Research, docs, tasks, strategy | Searchable, shareable, owner-accessible |
| Local only | Runtime state, credentials, cron state | Speed, security, no sync needed |
- Owner needs to read/share it → monday.com
- Agent needs it across sessions → GitHub
- Ephemeral or secret → local only
Rules
ALWAYS → monday.com
- Research (competitors, market, technology)
- Documents the owner needs to access or share
- Project tracking, tasks, milestones
- Meeting summaries
- GTM, product, strategy content
ALWAYS → GitHub (private repo)
- MEMORY.md, daily notes, .context files
- Skill files (SKILL.md → pa-skills public repo)
- Agent behavioral rules and preferences
- Lessons learned
ALWAYS → local only
- Runtime state (cron jobs, inbox, heartbeat state)
- WhatsApp memory (per-conversation context)
- Credentials and config
- PA directory (PA_LIST.md)
NEVER
- ❌ Save research/docs to local files only
- ❌ Save credentials or config to monday.com
- ❌ Save WhatsApp context to monday.com
- ❌ Duplicate content across layers
Local Context
Load agent-specific IDs from .context file in this skill's directory:
CONTEXT_FILE="/opt/ocana/openclaw/workspace/skills/storage-router/.context"
[ -f "$CONTEXT_FILE" ] && source "$CONTEXT_FILE"
# Then use: $WORKSPACE_ID, $FOLDER_RESEARCH, $DOC_COMPETITIVE_ANALYSIS, etc.
.context doesn't exist — use Structure Index doc (DOC_STRUCTURE_INDEX) from monday.com to find current IDs.monday.com Workspace Map
Workspace: your monday.com workspace Structure Index Doc: 39993682 (always check here for latest IDs)
| Content | Folder | Board/Doc ID |
|---|---|---|
| Competitor analysis | 📁 Research (20077300) | Board: 18406632346 / Doc: 39808656 |
| Market research | 📁 Research (20077300) | Board: 18406632334 |
| Technology deep dives | 📁 Research (20077300) | Per-tool board (see index) |
| Product brief | 📁 Product (20077301) | Board: 18406632301 / Doc: 39808645 |
| MVP planning | 📁 Product (20077301) | Board: 18406632217 |
| GTM strategy | 📁 GTM (20077298) | Board: 18406632223 |
| PA Rollout tracking | 📁 Operations (20077299) | Board: 18407159006 |
| Skills guide | 📁 Operations (20077299) | Board: 18407110746 |
For full index with all IDs: read doc 39993682 in monday.com before saving anything new.
How to Use
Before saving any file or content, ask:
- Will Netanel need to access or share this? → monday.com
- Is this runtime/operational state? → local
- Is this a rule or preference I've confirmed multiple times? → MEMORY.md
- Is this a daily event log? → memory/YYYY-MM-DD.md
When in doubt → monday.com for content, local for state.
Trigger Phrases
- "save this"
- "document this"
- "document this"
- Before writing any file with research, analysis, or docs
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制