← 返回 Skills 市场
yx2601816404-sys

Quest Board

作者 yx2601816404-sys · GitHub ↗ · v0.1.0
cross-platform ⚠ suspicious
771
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install quest-board
功能描述
Visual project dashboard managing quests, priorities, progress, and infrastructure via quest-board-registry.json with build and init commands.
安全使用建议
This skill appears to do exactly what it claims: scan your workspace for Markdown files (to build a registry), generate a local JSON registry file, and render an interactive HTML dashboard. Before installing or running it: 1) review the generated quest-board-registry.json (it will be created/updated in your workspace) and don't include sensitive files in the registry; 2) be aware the dashboard embeds the registry JSON directly into the HTML — opening the page runs its script against that data, so avoid loading untrusted registry content; 3) the UI provides buttons that copy file paths to clipboard and open file:// directories in your browser — these are expected features but they expose local paths and may be blocked by some browsers; and 4) because init.sh scans many folders, run it in a workspace you trust or run it manually after review. If you want to harden: run init.sh in a disposable workspace copy, or modify build.sh to JSON-serialize/escape the registry before embedding to reduce injection risk.
功能分析
Type: OpenClaw Skill Name: quest-board Version: 0.1.0 The skill bundle contains multiple critical client-side JavaScript injection (XSS) vulnerabilities in `src/template.html`. The `__REGISTRY_DATA__` placeholder is directly replaced with the raw content of `quest-board-registry.json` within a `<script>` block, allowing arbitrary JavaScript execution if the registry file is compromised. Additionally, file paths and other project data (e.g., `p.name`, `p.desc`) are unsafely inserted into HTML attributes and `innerHTML` without proper escaping, and environment variables (`QUEST_BOARD_WORKSPACE`, `QUEST_BOARD_TITLE`) are also directly injected into JavaScript strings. These flaws could be exploited via prompt injection against the agent to write malicious content into the registry, leading to arbitrary code execution in the user's browser when `quest-board.html` is opened.
能力评估
Purpose & Capability
Name/description match the included scripts and assets: build.sh generates an HTML dashboard from quest-board-registry.json and init.sh scans the workspace to create a skeleton registry. The declared filesystem permission in claw.json matches the skill's need to read/write files.
Instruction Scope
SKILL.md directs the agent to run the included init and build scripts and to maintain a local quest-board-registry.json. init.sh scans the workspace for Markdown files (excluding some known files/dirs) to auto-generate entries — this is expected for discovery, but it does mean the skill reads many workspace files. The generated HTML embeds the registry JSON directly into a JS variable (const REG=__REGISTRY_DATA__); because registry content is injected into the page, malicious or untrusted content in the registry could alter page behavior when the HTML is opened locally (risk of XSS-like effects in the browser).
Install Mechanism
No install spec or external downloads; this is an instruction-only skill with included shell scripts and static HTML template. Nothing is fetched from remote sources and no archives are extracted.
Credentials
No required environment variables or credentials are declared. The scripts accept optional environment variables (QUEST_BOARD_TITLE, QUEST_BOARD_WORKSPACE) which are reasonable and limited in scope.
Persistence & Privilege
always:false and normal agent invocation settings. The skill writes only its own registry file and output HTML in the workspace and does not modify other skills or global agent config.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install quest-board
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /quest-board 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial release: visual project dashboard for OpenClaw workspaces
元数据
Slug quest-board
版本 0.1.0
许可证
累计安装 0
当前安装数 0
历史版本数 1
常见问题

Quest Board 是什么?

Visual project dashboard managing quests, priorities, progress, and infrastructure via quest-board-registry.json with build and init commands. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 771 次。

如何安装 Quest Board?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install quest-board」即可一键安装,无需额外配置。

Quest Board 是免费的吗?

是的,Quest Board 完全免费(开源免费),可自由下载、安装和使用。

Quest Board 支持哪些平台?

Quest Board 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Quest Board?

由 yx2601816404-sys(@yx2601816404-sys)开发并维护,当前版本 v0.1.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论