Back to skill
Skillv2.1.0
ClawScan security
Autonomous Task Runner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 18, 2026, 4:19 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared capabilities and required actions match a task-queue purpose, but it auto-modifies user config files and registers a cron job and will spawn subagents and run commands automatically — behaviors that merit caution before installing.
- Guidance
- This skill appears to implement what it claims (a persistent task queue), but it will: create ~/.openclaw/tasks/, append a dispatcher entry to HEARTBEAT.md, and register a recurring cron job on first use; it also spawns subagents and can run shell commands as part of tasks. Before installing: 1) Decide whether you are comfortable with automated edits to HEARTBEAT.md and adding a cron job — these happen on first use; 2) Review what 'subagents' and tools (exec, message, web_search) the agent currently has access to, because tasks (including code-execution or messaging tasks) will run with those capabilities; 3) Consider limiting use to non-sensitive tasks or testing in a sandboxed agent/account; 4) Back up HEARTBEAT.md and any config files the skill will modify; 5) If you want manual control, ask the skill engineer to make first-run setup explicit (require user confirmation) or to disable immediate DISPATCHER execution so tasks only run after your approval.
Review Dimensions
- Purpose & Capability
- okName/description, declared tools (write, exec, message, web_search, subagents, optional cron), and the SKILL.md all align: a persistent queue that writes files, spawns subagents to run tasks, and reports results legitimately needs filesystem writes, cron/heartbeat integration, and subagent spawning.
- Instruction Scope
- concernRuntime instructions explicitly tell the agent to create ~/.openclaw/tasks/, initialize a persistent queue file, append an entry to HEARTBEAT.md, and 'CALL cron tool' to register a recurring job on first use. The skill also immediately runs the DISPATCHER in the same turn as INTAKE, which means queued tasks may be executed autonomously right after being added. These instructions modify agent-managed config files and system scheduling without an explicit interactive opt-in at the moment of installation.
- Install Mechanism
- okInstruction-only skill (no install spec, no downloads). Nothing is written to disk by an installer, though the runtime instructions do write to user config paths; absence of external install URLs reduces supply-chain risk.
- Credentials
- noteThe skill requests no environment variables or external credentials (good). It does require access to agent config files (TOOLS.md, HEARTBEAT.md) and the user's home directory to persist the queue and archives — these are proportional to a persistent task runner, but they grant access to agent-local configuration and persistent storage which could contain sensitive entries. The skill's declared permissions match the requested file/cron/subagent actions.
- Persistence & Privilege
- concernThe skill creates and maintains a persistent queue file that accumulates indefinitely (archive after configured days) and registers a recurring cron job and heartbeat entry on first-run. It also spawns subagents and can run exec/tool-based code for 'code-execution' task types. While these are coherent with a task-runner, they increase long-term attack surface and can enable autonomous background actions; the skill performs these privileged modifications automatically on first INTAKE (auto-setup behavior).