Task Panner Validator for Agents
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: task-panner-validator Version: 0.1.0 The skill bundle is classified as suspicious due to a critical vulnerability in `task_planner.py`. The `SafetyValidator`'s `validate_step` method, when a dangerous operation is detected and `safety_check` is explicitly set to `True` for that step, only issues a warning but still returns `is_safe=True`. This allows the `approve_plan` method to successfully approve the plan (as `is_valid` remains `True`), and subsequently, the `execute_plan` method proceeds to execute the dangerous step. This design flaw effectively bypasses the intended blocking mechanism for dangerous operations, allowing them to be executed with only a warning, which could be exploited by an agent to perform unauthorized or harmful actions. No direct evidence of intentional malicious code or prompt injection attempts was found in the files.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent connects this planner to powerful file, shell, API, database, or deployment actions, a plan could make meaningful changes, especially when auto-approval is enabled.
The library intentionally delegates real-world action execution to a caller-provided function and can auto-approve plans. This is purpose-aligned, but the safety of execution depends on how narrowly that executor is implemented.
TaskPlanner(auto_approve: bool = False) ... If True, automatically approve plans before execution ... execute_plan(... executor_func: Callable ...)
Keep auto_approve disabled for sensitive workflows, use dry_run first, require human review for destructive or account-changing steps, and expose only narrowly scoped executor actions.
A future change to the remote repository could differ from the reviewed artifacts if users install by cloning the default branch.
The documented install path clones a mutable GitHub repository rather than a pinned release or commit, while the registry metadata lists the source as unknown.
git clone https://github.com/cerbug45/task-planner-validator.git
Verify the repository owner and pin a trusted commit or release before using it in sensitive automation.
If a saved plan file is modified or comes from an untrusted source, it could change what actions an agent later executes.
Saved task plans are persistent instructions and parameters that may later be loaded and executed. This is disclosed and purpose-aligned, but users should treat saved plans as trusted inputs.
Plan Persistence: Save and load plans in JSON format
Only load plans from trusted locations, review loaded plans before execution, and avoid storing secrets directly in plan parameters or results.