Local Task Runner
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill transparently provides a local Node.js runner, but it gives the agent broad host code-execution power without a real sandbox despite safety and isolation wording.
Install only if you intentionally want the agent to run local Node.js code. Do not rely on the stated isolation as a security boundary; review code before execution, require confirmation for impactful tasks, and use a sandbox, VM, container, or low-privilege account when possible.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Any snippet run through this skill can read, modify, or delete local files, spawn other processes, or make network calls as the local user.
Agent-constructed or user-provided code is written to disk and executed directly by local Node.js, with no sandbox beyond a timeout.
fs.writeFileSync(filePath, code); ... result = await runCommand(`node "${filePath}"`, timeout);Treat use of this skill like running shell commands. Require explicit review for non-trivial code and run it inside a container, VM, or low-privilege account if possible.
The agent may choose this broad execution tool for convenience, increasing the chance that an ordinary task turns into unreviewed local code execution.
The instructions make a raw local code runner a default workflow without describing approval requirements, allowed operations, or limits for high-impact local actions.
It is the **default execution method** when subagent spawning is unavailable or inefficient.
Document narrow allowed uses, require user confirmation before running code that touches files, network, credentials, or system state, and prefer safer scoped tools when available.
Executed snippets can inherit the agent process's local privileges and may access local configuration, environment variables, or files available to that user.
The process is launched with only timeout and buffer options; the artifacts show no reduced OS user, restricted environment, credential isolation, or filesystem boundary.
const child = exec(command, { timeout: timeout, maxBuffer: 1024 * 1024 * 5 }, (error, stdout, stderr) => {Run the skill with a dedicated low-privilege user, clear sensitive environment variables, and avoid using it in directories or sessions that contain secrets.
Users may over-trust the safety claim and allow code to run locally without understanding that it can affect the host system.
The wording can be read as security isolation, but the implementation directly executes local Node.js code; cleanup and timeout are not a sandbox.
- **Safety**: Isolates execution logic, handles cleanup, and enforces timeouts.
Clarify that this is not sandboxed execution, describe the exact risks, and add explicit warnings before local code is run.