Skillv10.3.1

ClawScan security

autonomous-tasks · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 5, 2026, 10:46 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (autonomous task runner) aligns with its files, but the runtime instructions are vague about how tasks are 'executed' and allow broad filesystem and autonomous action, which is disproportionate and could be abused without further constraints.
Guidance: This skill appears to do what it says (run self-driven tasks), but its runtime instructions are too vague about what 'execute tasks' means. Before installing or scheduling it: (1) Review or create agents/AUTONOMOUS.md, agents/memory/tasks.md and backlog to ensure no sensitive goals or commands are present. (2) Run the skill in a restricted/sandboxed environment (isolated working directory, no access to secrets, limited network) to observe what it does. (3) Do not enable the suggested cron schedule until you trust the behavior. (4) Ask the author or update SKILL.md to explicitly constrain what kinds of task execution are allowed (e.g., only edit files, no shell commands, whitelist network domains, require explicit user confirmation for external actions). (5) Avoid placing the skill's working directory somewhere that contains secrets or production data. These steps will reduce risk from its broad, under-specified execution powers.

Review Dimensions

Purpose & Capability: noteName/description match the SKILL.md: it reads goals, generates tasks, executes them, and logs progress in an agents/ directory. No unrelated environment variables or external dependencies are requested. However, 'execute tasks' is under-specified — legitimate implementions might only operate on text files, but the instructions permit arbitrary task execution and writing outputs to the current working directory, which is broader than a simple task-planning helper.
Instruction Scope: concernThe SKILL.md explicitly instructs the agent to read and write files under agents/ (relative to the skill) and to 'execute tasks' from memory/tasks.md, but it does not define what executing a task entails or limit allowed actions (shell commands, network calls, API keys, etc.). It also recommends installing a scheduled cron job (openclaw cron add). The guidance to never write into the skill dir but allow arbitrary outputs to the current working directory grants broad write/read scope that could touch sensitive locations if the working directory is not sandboxed.
Install Mechanism: okInstruction-only skill with no install spec and no code files — minimal install risk. Nothing is downloaded or written by an installer step.
Credentials: noteThe skill requests no environment variables or credentials, which is proportionate. It does, however, expect persistent filesystem access to create and maintain an agents/ directory adjacent to SKILL.md and to write outputs to the working directory; those filesystem privileges may be more than a user expects from a 'task generator' and should be considered when granting runtime permissions.
Persistence & Privilege: notealways:false (good) and the skill is user-invocable. It recommends creating a scheduled cron entry via openclaw, which would make it run periodically if the user sets that up. Because disable-model-invocation is false (the platform default), the skill could act autonomously when invoked — combine this with vague execution semantics and persistent storage and the blast radius increases.