← Back to Skills Marketplace
Quest Board
by
yx2601816404-sys
· GitHub ↗
· v0.1.0
771
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install quest-board
Description
Visual project dashboard managing quests, priorities, progress, and infrastructure via quest-board-registry.json with build and init commands.
Usage Guidance
This skill appears to do exactly what it claims: scan your workspace for Markdown files (to build a registry), generate a local JSON registry file, and render an interactive HTML dashboard. Before installing or running it: 1) review the generated quest-board-registry.json (it will be created/updated in your workspace) and don't include sensitive files in the registry; 2) be aware the dashboard embeds the registry JSON directly into the HTML — opening the page runs its script against that data, so avoid loading untrusted registry content; 3) the UI provides buttons that copy file paths to clipboard and open file:// directories in your browser — these are expected features but they expose local paths and may be blocked by some browsers; and 4) because init.sh scans many folders, run it in a workspace you trust or run it manually after review. If you want to harden: run init.sh in a disposable workspace copy, or modify build.sh to JSON-serialize/escape the registry before embedding to reduce injection risk.
Capability Analysis
Type: OpenClaw Skill
Name: quest-board
Version: 0.1.0
The skill bundle contains multiple critical client-side JavaScript injection (XSS) vulnerabilities in `src/template.html`. The `__REGISTRY_DATA__` placeholder is directly replaced with the raw content of `quest-board-registry.json` within a `<script>` block, allowing arbitrary JavaScript execution if the registry file is compromised. Additionally, file paths and other project data (e.g., `p.name`, `p.desc`) are unsafely inserted into HTML attributes and `innerHTML` without proper escaping, and environment variables (`QUEST_BOARD_WORKSPACE`, `QUEST_BOARD_TITLE`) are also directly injected into JavaScript strings. These flaws could be exploited via prompt injection against the agent to write malicious content into the registry, leading to arbitrary code execution in the user's browser when `quest-board.html` is opened.
Capability Assessment
Purpose & Capability
Name/description match the included scripts and assets: build.sh generates an HTML dashboard from quest-board-registry.json and init.sh scans the workspace to create a skeleton registry. The declared filesystem permission in claw.json matches the skill's need to read/write files.
Instruction Scope
SKILL.md directs the agent to run the included init and build scripts and to maintain a local quest-board-registry.json. init.sh scans the workspace for Markdown files (excluding some known files/dirs) to auto-generate entries — this is expected for discovery, but it does mean the skill reads many workspace files. The generated HTML embeds the registry JSON directly into a JS variable (const REG=__REGISTRY_DATA__); because registry content is injected into the page, malicious or untrusted content in the registry could alter page behavior when the HTML is opened locally (risk of XSS-like effects in the browser).
Install Mechanism
No install spec or external downloads; this is an instruction-only skill with included shell scripts and static HTML template. Nothing is fetched from remote sources and no archives are extracted.
Credentials
No required environment variables or credentials are declared. The scripts accept optional environment variables (QUEST_BOARD_TITLE, QUEST_BOARD_WORKSPACE) which are reasonable and limited in scope.
Persistence & Privilege
always:false and normal agent invocation settings. The skill writes only its own registry file and output HTML in the workspace and does not modify other skills or global agent config.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install quest-board - After installation, invoke the skill by name or use
/quest-board - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial release: visual project dashboard for OpenClaw workspaces
Metadata
Frequently Asked Questions
What is Quest Board?
Visual project dashboard managing quests, priorities, progress, and infrastructure via quest-board-registry.json with build and init commands. It is an AI Agent Skill for Claude Code / OpenClaw, with 771 downloads so far.
How do I install Quest Board?
Run "/install quest-board" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Quest Board free?
Yes, Quest Board is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Quest Board support?
Quest Board is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Quest Board?
It is built and maintained by yx2601816404-sys (@yx2601816404-sys); the current version is v0.1.0.
More Skills