← Back to Skills Marketplace
155
Downloads
0
Stars
0
Active Installs
6
Versions
Install in OpenClaw
/install openclaw-orchard
Description
Agentic project and task management plugin for OpenClaw. Persistent SQLite-backed task board with a queue runner that auto-dispatches ready tasks as subagent...
Usage Guidance
This plugin appears to implement what it claims: a persistent task board with an autonomous queue runner and a local UI proxy. Before installing, consider: 1) autonomous subagent spawns are the core feature — if you need to limit risk, enable debug.logOnly or ORCHARD_DISABLE_ALL_SPAWNS and test in a sandbox; 2) the standalone UI forwards the browser's Authorization header to the gateway — keep uiServer.bindAddress set to 127.0.0.1 and do NOT set uiServer.allowUnsafeBind unless you intentionally want LAN exposure; 3) optional config fields (contextInjection.apiKey, provider) let Orchard call external providers — only supply API keys you trust and understand potential data sent to those services; 4) building the plugin requires native modules (better-sqlite3) and a Node toolchain; verify build on a test host first; 5) review and test the debug flags and rate/limit settings (maxConcurrentExecutors, maxSubagentsPerProject, queueIntervalMs) to avoid runaway dispatching. If you need higher assurance, run the plugin in a local-only OpenClaw instance with debug.logOnly, review the repository manually, and/or restrict its role/permissions in your environment.
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-orchard
Version: 0.2.5-rc.5
OrchardOS is a comprehensive project management plugin that automates task execution via subagents. The codebase demonstrates high security awareness, including explicit SSRF protections in the documentation fetcher (src/api/routes.ts) that blacklist private IP ranges and loopback-only defaults for the standalone UI proxy server. No evidence of data exfiltration, unauthorized execution, or malicious prompt injection was found; the plugin's capabilities are well-documented and aligned with its stated purpose.
Capability Assessment
Purpose & Capability
Name/description (persistent task board, queue runner, dashboard, subagent dispatch) match the shipped source, routes, tools, and plugin manifest. No unrelated environment variables or surprising binaries are requested. The ability to spawn subagents and expose a loopback UI proxy is explicitly documented in the manifest and README.
Instruction Scope
SKILL.md and README describe only plugin installation, configuration, available agent tools, and API/UI access. Runtime instructions and the codebase limit themselves to task/project CRUD, queue/runner control, a debug surface, and a local UI proxy. There are no instructions to read or exfiltrate unrelated host files or environment variables in the SKILL.md.
Install Mechanism
No install spec in the registry entry (installation is done via the OpenClaw plugin system). Source includes a standard npm package.json and package-lock; dependencies rely on better-sqlite3 (native), and the build step runs tsc and an HTML-to-TS generator. Build-time native compilation and peer dependency on OpenClaw are expected but may require a proper Node toolchain.
Credentials
The plugin does not declare required env vars or credentials. Optional debug env vars and a config schema support an optional context-injection provider (apiKey) and UI server settings. Those optional API keys/config entries are proportional to features (context injection, external KB providers, standalone UI), but enabling them increases the attack surface and should be done intentionally.
Persistence & Privilege
always:false and model-invocation is allowed (default). Orchard is designed to autonomously dispatch subagents (documented); that is necessary for its purpose but raises operational risk if misconfigured. The plugin exposes a loopback-only auth-forwarding proxy by default; non-loopback binds are refused unless explicitly allowed in config.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-orchard - After installation, invoke the skill by name or use
/openclaw-orchard - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.2.5-rc.5
Release 0.2.5-rc.5
v0.2.5-rc.4
Automated release from GitHub Actions for 0.2.5-rc.4
v0.2.5-rc.2
Release candidate: eliminate runtime dashboard file reads by generating and importing the UI HTML as a module, reducing static-analysis exfiltration hits while keeping the hardened local UI proxy behavior from rc.1.
v0.2.5-rc.1
Release candidate: harden publish surface and standalone UI proxy. Remove token auto-read from smoke script, trim published files, require explicit unsafe opt-in for non-loopback UI bind, and clarify security behavior in manifest/docs.
v0.1.1
Fix progress bar, sort controls on task list and board, settings panel, active tab indicator
v0.1.0
Initial release — agentic task board with queue runner, REST API, agent tools, and dashboard
Metadata
Frequently Asked Questions
What is OrchardOS?
Agentic project and task management plugin for OpenClaw. Persistent SQLite-backed task board with a queue runner that auto-dispatches ready tasks as subagent... It is an AI Agent Skill for Claude Code / OpenClaw, with 155 downloads so far.
How do I install OrchardOS?
Run "/install openclaw-orchard" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is OrchardOS free?
Yes, OrchardOS is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does OrchardOS support?
OrchardOS is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created OrchardOS?
It is built and maintained by derp42 (@derp42); the current version is v0.2.5-rc.5.
More Skills