Farmos Tasks
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches its FarmOS task-management purpose, but it relies on an undeclared local auth helper and JWT-based write access that can modify farm task records.
Review this skill before installing. It appears designed for legitimate FarmOS task management, but it can change operational task records and depends on a local auth script and role file that were not included in the scan. Only use it if you trust the FarmOS endpoint and the auth helper, and ensure write actions require the right user role and explicit confirmation.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used as intended, the agent can change task/work-order state in FarmOS.
The skill documents write operations that can create, complete, cancel, and assign farm tasks. This is central to the stated purpose, but users should recognize it can change operational records.
POST /api/tasks ... POST /api/tasks/{id}/start ... POST /api/tasks/{id}/complete ... POST /api/tasks/{id}/cancel ... POST /api/tasks/{id}/assignConfirm task creation, assignment, cancellation, and completion requests before allowing the agent to submit write actions.
The agent may obtain and use privileged FarmOS tokens to modify tasks, so a mis-scoped role or wrong user mapping could let it act with more authority than intended.
The skill requires JWT-based account authority and local role mapping for protected writes, including a manager-token example, while the supplied requirements declare no primary credential or required config path.
This skill accesses protected FarmOS endpoints that require a JWT token. ... TOKEN=$(~/clawd/scripts/farmos-auth.sh manager) ... Check the sender's role in `~/.clawdbot/farmos-users.json`
Declare the credential/config requirements, restrict tokens to the minimum role needed, and require clear user confirmation for privileged write actions.
Installing the skill may cause the agent to rely on local code outside the reviewed package when getting FarmOS credentials.
The skill depends on a local auth helper script to obtain JWTs, but the artifact set is instruction-only and does not include or pin that helper, leaving its behavior and provenance unreviewed.
TOKEN=$(~/clawd/scripts/farmos-auth.sh manager)
Provide and review the auth helper, pin its source/version, or document exactly how users should verify it before the skill uses it.