Back to skill
Skillv2.1.0
VirusTotal security
Autonomous Task Runner · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:08 AM
- Hash
- c37bc78b47471353070418290cc8c0d91f47bdc93745232850d6a4f7e6c9dfe5
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: autonomous-task-runner Version: 2.1.0 The skill is classified as suspicious due to its inherent design allowing arbitrary code execution (RCE) via user-provided tasks, which is a critical vulnerability. Specifically, `references/task-types.md` details a 'code-execution' task type that uses the `exec` tool for 'Standard shell commands,' 'Exec in PTY mode,' and 'Write script then exec.' This directly contradicts the `skill.yml` permission declaration, which misleadingly limits `exec` to 'mkdir -p' only. This discrepancy misrepresents the skill's true capabilities to the platform's security scanner. Additionally, the skill registers persistent cron jobs and modifies `HEARTBEAT.md` for its dispatcher, and passes user-provided task descriptions directly into subagent prompts, creating potential prompt injection vectors. While these capabilities are intended for a flexible task runner, they pose significant security risks if misused by a malicious user or a compromised agent.
- External report
- View on VirusTotal