by 安全扫描
OpenClaw
安全
high confidenceNULL
评估建议
This skill appears internally coherent and implements what it claims: model triage, sub-agent spawn command generation, and local token-cost tracking. Before installing or running it, consider: 1) Integration is partially manual/stubbed — execute_task prints spawn commands rather than automatically calling sessions_spawn, and track_session_cost is not fully implemented; expect to supply platform session calls or finish integration. 2) Cost/log file (taskmaster-costs.json) will be created/updated...详细分析 ▾
✓ 用途与能力
Name/description (task delegation, model selection, sub-agents, token tracking) match the included files and code. The Python code implements complexity analysis, model selection, spawn-command generation, and local cost logging consistent with the stated functionality. Use of Anthropic model identifiers is coherent with cost-optimization claims.
ℹ 指令范围
SKILL.md and code stick to orchestration, model selection, spawn command generation, and cost tracking; they do not instruct reading unrelated system files or requesting unrelated credentials. However, several integration functions are stubs or designed for manual invocation (e.g., execute_task prints spawn commands and returns instructions rather than calling sessions_spawn directly; track_session_cost/session_status parsing is incomplete/truncated). Also the skill writes/updates a local JSON cost log (taskmaster-costs.json) which may contain task metadata; review whether that file could store sensitive task text before use.
✓ 安装机制
No install spec and no external downloads. The skill is instruction+code only and depends only on Python standard capabilities. There are no URLs, installers, or extracted archives that would execute arbitrary remote code during install.
✓ 凭证需求
The package declares no required environment variables, no credentials, and no config paths. The code expects OpenClaw platform functions (sessions_spawn, session_status) for integration but does not request unrelated secrets or cloud credentials.
ℹ 持久化与权限
always:false (no forced inclusion). The skill writes a local cost log (taskmaster-costs.json) and returns spawn commands that include 'cleanup': 'keep' which may retain session artifacts until cleaned. The skill does not request system-wide privileges or alter other skills' config, but consider that saved logs may contain task descriptions or outputs.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/2
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install taskmaster
镜像加速npx clawhub@latest install taskmaster --registry https://cn.longxiaskill.com