Autonomous Task Runner
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This is a disclosed autonomous task queue, but it can keep running in the background and execute broad file, command, subagent, and messaging actions without clear per-action approval or shutdown controls.
Only install this if you want a background task runner with persistent scheduling. Before use, decide whether it may run commands, write outside its task directory, spawn subagents, or send messages for you; consider disabling cron/heartbeat setup and requiring confirmation for sensitive actions.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may keep checking the queue and running tasks in the background after the user has moved on.
The first-use flow creates persistent dispatcher plumbing and a recurring job so the skill can continue acting after the initiating turn.
Auto-configure everything silently... Register backup cron job... enabled: true... "Your tasks will execute automatically."
Require explicit opt-in before heartbeat/cron registration, provide a clear disable/uninstall path, and pause before executing sensitive task types.
A loosely phrased message could be queued and executed instead of being answered or clarified first.
Broad trigger rules combined with immediate dispatch can reinterpret ordinary multi-part requests as background tasks.
INTAKE ... Parse message → add tasks to queue → confirm → immediately run DISPATCHER ... Framing: "I need you to", "help me with", "I need" ... Compound ask: Any message with 2+ distinct action items
Narrow activation to explicit task-queue commands and ask for confirmation before dispatching newly parsed tasks.
A queued task could change local files, run commands, install software, call external APIs, or send messages if the agent has those tools.
Queued tasks can invoke broad shell/API escape hatches, including interactive execution and API calls, without documented allowlists or approval gates.
code-execution ... Direct exec ... Exec in PTY mode ... Write script then exec ... messaging ... channel's API via `exec` curl
Add allowlists, sandboxing, command previews, and explicit user approval for exec, file mutation, API curl, messaging, and scheduling actions.
Users may underestimate the actual shell-command authority the skill intends to use.
The permission summary presents exec as limited to directory creation, while the included task-type references document broader direct exec, PTY exec, script execution, and curl fallback behavior.
permissions: ... exec: - "mkdir -p ${TASK_RUNNER_DIR} (directory creation only)"Align the permission declaration with all documented execution paths, or remove/disable broad code-execution behavior by default.
Messages, emails, or public posts could be sent from the user's accounts if queued incorrectly or triggered unintentionally.
The skill can use delegated messaging or social/API authority to post or send content on the user's behalf, but no recipient/channel/account scope or confirmation requirement is documented.
messaging ... "Email the team about X" ... "Post a tweet about Y" ... Primary Strategy: `message` tool ... Channel-specific fallback ... API via `exec` curl
Require per-message confirmation, restrict allowed destinations, and clearly document which accounts or messaging credentials may be used.
Sensitive task details may remain on disk and influence future dispatcher behavior.
The persistent queue and archives can retain task descriptions, goals, deliverables, and execution history for later reuse.
All tasks live in one persistent file... It accumulates over time... Tasks are never deleted — they're archived so you always have a record.
Avoid placing secrets in task descriptions, and add clear retention, deletion, and archive-management controls.