← 返回 Skills 市场
392
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install plutio
功能描述
Manage Plutio projects and tasks. Use when you need to create, update, close, or query tasks and projects in Plutio (task/project management platform). Suppo...
安全使用建议
This skill appears to be a real Plutio API client (code + docs match the stated purpose), but there is a clear metadata omission: the registry doesn't declare the required Plutio credentials even though the code and docs require them. Before installing:
- Treat the skill as requiring your Plutio App Key/Client Secret; only provide those to this skill if you trust the source/author. The package owner is unknown — verify the origin.
- Prefer the documented secure options (Bitwarden or OS credential manager) rather than adding credentials to shell profiles, scheduled-task scripts, or plain-text files.
- Inspect the included script (scripts/plutio-cli.py) yourself (it is present) or run it in a sandboxed environment first. The script caches tokens to ~/.config/plutio/token.json; ensure you are comfortable with that path and its permissions.
- Confirm network endpoints: the code uses api.plutio.com OAuth and API endpoints (expected). If you observe different remote endpoints in the code, do not proceed.
- Ensure Python3 and the requests library are available in the runtime; the script does not include dependency installation steps.
- If you need stronger assurance, request the publisher to update registry metadata to declare required env vars (PLUTIO_APP_KEY, PLUTIO_SECRET, PLUTIO_SUBDOMAIN) and provide provenance for the skill (homepage, owner identity) or run a code review/audit prior to granting credentials.
功能分析
Type: OpenClaw Skill
Name: plutio
Version: 1.0.1
The skill is designed for legitimate Plutio API interaction. The primary concern is the `scripts/plutio-cli.py` script's acceptance of sensitive API credentials (`--app-key`, `--secret`) directly as command-line arguments. This practice, also demonstrated in `SKILL.md`, `references/examples.md`, and `references/powershell-workflows.md`, is a vulnerability as it can expose credentials in process lists, shell history, or logs. While `references/setup-guide.md` provides good security advice on credential storage, the CLI's design still presents this risk. There is no evidence of intentional malicious behavior, data exfiltration to unauthorized endpoints, or prompt injection attempts to subvert the agent's core function.
能力评估
Purpose & Capability
The name/description, SKILL.md, references, and the included Python CLI all consistently implement a Plutio project/task management client — that aligns with the stated purpose. However, the registry metadata declares no required environment variables or primary credential while the code and docs clearly require a Plutio App Key (client id) and Secret (client secret) to operate. That metadata omission is an incoherence: the skill will not function without credentials yet does not declare them in the registry.
Instruction Scope
Runtime instructions and examples are narrowly scoped to Plutio API actions (list/create/update/close tasks, list people, etc.). The skill caches OAuth tokens locally (~1 hour) and the docs instruct how to configure credentials via environment variables, Bitwarden, or OpenClaw auto-configuration. Example workflows show optional integrations (e.g., sending Matrix notifications) and scheduling via Task Scheduler; those are user-driven and outside the core API client but are clearly documented. There is no instruction to read unrelated system files or exfiltrate data, but some examples show storing credentials in scheduled scripts or shell profiles which can be insecure if the user follows them blindly.
Install Mechanism
This is instruction-only plus a single Python script; there is no install spec that downloads remote code. The script expects Python3 and the requests library but does not attempt to install arbitrary third-party packages from unknown URLs. No high-risk download/extract steps are present.
Credentials
The skill needs sensitive credentials (Plutio App Key / Client Secret) to operate — the SKILL.md and setup docs explicitly show environment variables and CLI arguments for these secrets. Yet the skill metadata lists no required env vars or primary credential. Additionally, some documented configuration options (adding creds to shell profile, Windows scheduled task scripts) encourage storing secrets in plain text; the docs do recommend Bitwarden as most secure, but the presence of insecure examples increases risk if users follow them.
Persistence & Privilege
The skill does create a local token cache under ~/.config/plutio/token.json and restricts permissions (chmod 600) in the code. always:false and no cross-skill config modifications are present. There is no claim of persistent system-wide privileges beyond the token cache and normal file writes within the user's home directory.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install plutio - 安装完成后,直接呼叫该 Skill 的名称或使用
/plutio触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
FIXED: Tasks now require taskBoardId and taskGroupId to appear in Plutio UI. Updated create-task command and documentation. Removed unsupported projectId parameter.
v1.0.0
Initial release: OAuth 2.0 v1.11 API integration with list/create projects and tasks, PowerShell 7 support, comprehensive setup guides
元数据
常见问题
Plutio 是什么?
Manage Plutio projects and tasks. Use when you need to create, update, close, or query tasks and projects in Plutio (task/project management platform). Suppo... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 392 次。
如何安装 Plutio?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install plutio」即可一键安装,无需额外配置。
Plutio 是免费的吗?
是的,Plutio 完全免费(开源免费),可自由下载、安装和使用。
Plutio 支持哪些平台?
Plutio 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Plutio?
由 GrewingM(@grewingm)开发并维护,当前版本 v1.0.1。
推荐 Skills