ClawHub

Task Watchdog

Security checks across malware telemetry and agentic risk

Overview

This is a plausible local task watchdog, but its scripts can automatically reassign, update, archive, or delete task records with weak ownership checks.

Review before installing in any shared or multi-agent environment. Use it only if you are comfortable letting shell scripts manage local OpenClaw task state, and consider adding dry-run cleanup, stricter agent/task ID validation, atomic locking, explicit caller identity checks, and grace-period enforcement before enabling heartbeat or cron automation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The specification defines abandonment based on `last_progress` while explicitly saying `last_heartbeat` should not trigger archival, but later test expectations contradict that rule. In a task-locking/watchdog system, inconsistent liveness criteria can cause premature archival or takeover of active tasks, leading to integrity and availability issues in workflow coordination.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The state-transition description and test scenarios disagree on what condition causes a task to be archived as `abandoned`. This ambiguity is dangerous because implementers may encode different behaviors in scanners, lock updates, or recovery logic, allowing active work to be marked abandoned or stale work to remain uncollected.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script can unilaterally rewrite `session_id` and take ownership of active locks based solely on whether the prior session appears in `openclaw sessions list`. Because it never verifies heartbeat age, lock freshness, or performs an atomic compare-and-swap, a transient CLI failure or stale session listing can cause live work to be stolen, leading to task corruption, duplicate execution, or loss of coordination guarantees.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The comments and variables describe GRACE-based timeout handling, but the implementation never checks `last_heartbeat` age at all before taking over a lock. In practice, any failure to observe a session—temporary command error, listing inconsistency, permission issue, or brief control-plane outage—immediately triggers lock hijack, making the coordination mechanism unsafe and much more fragile than advertised.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The documented policy says dispatcher/main may write only after the owner session disappears, but has_permission() grants 'dispatcher' or 'main' unconditional write access before any liveness check. This allows privileged session labels to overwrite progress and heartbeat for an active task owned by another live session, undermining lock integrity and enabling task hijacking or state corruption.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill explicitly allows automatic task takeover and archive/cleanup actions that modify external task-state files, yet the workflow does not warn users that state can be reassigned or deleted automatically. In a multi-agent or shared environment, this can cause unintended ownership changes, loss of auditability, or premature archival/cleanup of task records without operator awareness.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal