← 返回 Skills 市场
Nova Accountability
作者
novalystrix
· GitHub ↗
· v2.0.0
· MIT-0
80
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install nova-accountability
功能描述
Manage accountability items on a Monday.com board. Use when creating new accountability items, checking on existing ones, running work sessions, or when a cr...
安全使用建议
Before installing, confirm and correct the missing declarations and limit runtime scope: 1) Expect to provide a Monday API token (MONDAY_API_TOKEN) and board id (MONDAY_BOARD_ID) — the manifest should list them; 2) Ensure curl and jq are available or update the script to avoid jq; 3) Note the script will look in ~/.openclaw/.env for MONDAY_API_TOKEN — review that file for other secrets and consider placing the token in a dedicated env var instead; 4) Decide whether you want the agent to be allowed to 'spawn sub-agents' and 'message anyone' — if not, restrict the agent's permissions or remove/modify those instructions; 5) Run the skill in a constrained environment (limited network access, least-privilege token scoped to boards read/write) and review logs for outbound communication; and 6) If you need high assurance, ask the publisher to update the skill metadata to declare required env vars and binaries and to clarify exactly which external channels (email, Slack, etc.) the agent will use and what credentials are needed.
功能分析
Type: OpenClaw Skill
Name: nova-accountability
Version: 2.0.0
The skill contains shell injection vulnerabilities in `scripts/monday-api.sh` due to unsafe handling of arguments in the `query` function and `update` command. Additionally, the `SKILL.md` instructions contain high-risk directives for an autonomous agent, such as 'Don't limit yourself' when messaging people and spawning sub-agents, which could lead to unauthorized communications or resource exhaustion. While the behavior aligns with the stated purpose of a proactive 'Accountability' manager, the combination of insecure scripting and broad operational autonomy warrants a suspicious classification.
能力评估
Purpose & Capability
The skill's name/description (manage Monday.com accountability items) matches the included code and SKILL.md which use the Monday GraphQL API. However the package metadata claims no required env vars or binaries, while the SKILL.md/README/scripts clearly require a MONDAY_API_TOKEN and MONDAY_BOARD_ID and rely on curl and jq. That mismatch is inconsistent and should be corrected.
Instruction Scope
The SKILL.md instructs the agent to read all active items, create sub-items, write updates, and run an hourly 'real work session' that can 'execute the plan' including code work or 'config changes, research, outreach'. It also explicitly tells the agent to 'orchestrate others' (spawn Cursor Agent or other coding agents) and 'message anyone who can help' without enumerating required messaging credentials. The helper script reads ~/.openclaw/.env (to find MONDAY_API_TOKEN) and performs GraphQL calls to api.monday.com. The scope instructions therefore permit broad external interactions (spawning agents, messaging people) that are not reflected in declared requirements — this is scope creep and raises operational risk.
Install Mechanism
There is no install spec (instruction-only), which is low risk. The included script will be written to disk as part of the skill bundle. The script uses curl and pipes output to jq, but the manifest lists no required binaries; the skill should declare curl and jq as required or handle missing binaries gracefully.
Credentials
The SKILL.md and README require MONDAY_API_TOKEN and MONDAY_BOARD_ID, yet the registry metadata states none are required. The script attempts to read MONDAY_API_TOKEN from the environment or by grepping ~/.openclaw/.env — reading a user .env file is a notable behavior (it reads only to extract the token, but that file may contain other secrets). The skill does not declare or request any messaging/notification credentials even though instructions encourage contacting people and spawning sub-agents, creating a gap between capabilities and declared credentials.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent system privileges. It suggests running on a cron schedule (expected). It does not modify other skills or system-wide settings in the files provided.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install nova-accountability - 安装完成后,直接呼叫该 Skill 的名称或使用
/nova-accountability触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.0.0
v2.0: Config-driven — all hardcoded values (board ID, column IDs, owner/agent names) moved to plugin config schema. README added. Helper script is env-var based. Generalized for any OpenClaw user running a Monday.com accountability board.
元数据
常见问题
Nova Accountability 是什么?
Manage accountability items on a Monday.com board. Use when creating new accountability items, checking on existing ones, running work sessions, or when a cr... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 80 次。
如何安装 Nova Accountability?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install nova-accountability」即可一键安装,无需额外配置。
Nova Accountability 是免费的吗?
是的,Nova Accountability 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Nova Accountability 支持哪些平台?
Nova Accountability 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Nova Accountability?
由 novalystrix(@novalystrix)开发并维护,当前版本 v2.0.0。
推荐 Skills