← Back to Skills Marketplace
skanderhelali

NextCloud Deck Tracker

by SkanderHelali · GitHub ↗ · v0.1.1
cross-platform ⚠ suspicious
934
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install openclaw-deck-tracker
Description
Track OpenClaw tasks on NextCloud Deck board. Auto-add tasks to Queue, move through states.
Usage Guidance
This skill is internally inconsistent: its instructions require a 'deck' CLI and Nextcloud credentials (DECK_URL, DECK_USER, DECK_PASS) but the registry entry lists none. Before installing or providing secrets: 1) Do NOT export your real DECK_PASS until you verify the code. Use a limited-scope Nextcloud App Password. 2) Inspect the referenced GitHub repo (https://github.com/SkanderHelali/openclaw-deck-tracker) — review the 'deck' CLI code and monitor/notification implementation to confirm where notifications are sent. 3) Change the default notification target (the SKILL.md defaults to 'Skander') or disable notifications if you can't verify destination. 4) If you want to test, run the tool in an isolated environment (temporary VM or container) and use least-privilege credentials. 5) Ask the publisher to update registry metadata to declare required env vars and any install steps, and to explain the notification endpoint and monitor process in detail. If you can't verify these, treat the skill as high-risk and avoid giving it credentials.
Capability Analysis
Type: OpenClaw Skill Name: openclaw-deck-tracker Version: 0.1.1 The skill provides legitimate task management features for NextCloud Deck, requiring network access and the ability to spawn background processes (`deck monitor`). However, the 'AI Protocol: Complex Descriptions' in both `SKILL.md` and `README.md` instructs the AI agent to use a temporary file method for updating card descriptions. This involves writing arbitrary content to `/tmp/deck_desc_<id>.txt` and then using `$(cat /tmp/deck_desc_<id>.txt)` within a command. This pattern creates a significant prompt injection vulnerability, allowing an attacker to instruct the AI agent to write and execute arbitrary shell commands, leading to potential Remote Code Execution (RCE).
Capability Assessment
Purpose & Capability
The skill claims to manage Nextcloud Deck cards, which legitimately requires DECK_URL, DECK_USER, DECK_PASS and a client (the 'deck' CLI). However the registry metadata lists no required environment variables, no primary credential, and no required binaries. The SKILL.md repeatedly instructs use of a 'deck' CLI and environment variables — so the declared metadata does not match the actual capabilities and requirements.
Instruction Scope
Instructions direct the agent to create and update cards, write temp files under /tmp, spawn a background monitor that logs every 60s and 'sends a chat notification' every 120s (defaulting to a user named 'Skander'). The monitor behaviour and the unspecified 'chat notification' endpoint are ambiguous and could result in outbound notifications or data disclosure to an external recipient. Otherwise most commands stay within Nextcloud Deck API usage, but the background-notify behavior and the hardcoded default target are red flags.
Install Mechanism
This is an instruction-only skill (no install spec, no code files). The README suggests installing via 'clawhub' or cloning a GitHub repo (https://github.com/SkanderHelali/openclaw-deck-tracker), but the registry provides no automated install. That means the agent's instructions expect an external 'deck' CLI to already exist or for a user to manually install code from the referenced repo — which could contain arbitrary code. No automatic downloads are performed by the registry entry, lowering automatic install risk, but the manual install path relies on an external GitHub repo that should be inspected before use.
Credentials
The SKILL.md and README both instruct setting DECK_URL, DECK_USER, DECK_PASS, BOARD_ID and optional STACK_* variables. These are appropriate for Nextcloud Deck but are not declared in the registry metadata. DECK_PASS is sensitive (an app password) and granting it without the registry advertising credential needs is a mismatch and increases risk. No other unrelated credentials are requested.
Persistence & Privilege
The skill is not 'always: true' and does not request persistent installation or global config changes. However it explicitly instructs spawning a background monitoring process that runs periodically and sends notifications; that creates runtime persistence while active. Autonomous invocation is allowed (platform default), which combined with unadvertised credential requirements and background notification increases the blast radius — worth noting but not by itself proof of malicious intent.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install openclaw-deck-tracker
  3. After installation, invoke the skill by name or use /openclaw-deck-tracker
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.1
Version 0.1.1 - Added version number to SKILL.md header. - Introduced new "monitor" command for automated heartbeat/status updates and chat notifications during long-running tasks. - Improved documentation for AI users on handling complex multi-line descriptions using temporary files to avoid shell issues. - No code changes; documentation update only.
v0.1.0
Initial release of deck-tracker for OpenClaw. - Track and manage tasks on a NextCloud Deck board using CLI commands. - Supports listing, adding, updating, moving, and deleting cards. - Environment variable based configuration for board and stack IDs. - Workflow optimized for Queue → In Progress → Waiting → Done Today. - Commands for status logging, dumping completed tasks as JSON, and archiving done tasks for daily cleanup or memory synthesis.
Metadata
Slug openclaw-deck-tracker
Version 0.1.1
License
All-time Installs 0
Active Installs 0
Total Versions 2
Frequently Asked Questions

What is NextCloud Deck Tracker?

Track OpenClaw tasks on NextCloud Deck board. Auto-add tasks to Queue, move through states. It is an AI Agent Skill for Claude Code / OpenClaw, with 934 downloads so far.

How do I install NextCloud Deck Tracker?

Run "/install openclaw-deck-tracker" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is NextCloud Deck Tracker free?

Yes, NextCloud Deck Tracker is completely free (open-source). You can download, install and use it at no cost.

Which platforms does NextCloud Deck Tracker support?

NextCloud Deck Tracker is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created NextCloud Deck Tracker?

It is built and maintained by SkanderHelali (@skanderhelali); the current version is v0.1.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments