Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Agent Autopilot
v1.4.1Self-driving agent workflow with heartbeat-driven task execution, day/night progress reports, and long-term memory consolidation. Integrates with todo-manage...
⭐ 1· 3.9k·59 current·60 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the contents: SKILL.md and scripts implement a heartbeat-driven autopilot that reads/writes agent workspace files and delegates task tracking to the todo-management skill. The included init.sh and examples are proportional to setting up such a self-driving agent.
Instruction Scope
Instructions tell the agent to run periodic heartbeats, read/write memory/*.md and memory/report-state.json, create/update todo entries (via todo-management's todo.sh), and autonomously create tasks and reports. This is consistent with the purpose but grants the agent broad autonomous file- and task-modification capabilities (explicitly instructs it not to ask for direction). Review HEARTBEAT.md/MEMORY.md templates before use.
Install Mechanism
No external install spec or remote downloads; the package is instruction-only with a local init.sh. init.sh copies an existing todo-management skill from the main workspace or a global npm location (uses `npm root -g`) rather than fetching from the network. That behavior is low-risk but assumes local/global artifacts exist and that npm is available (npm is not listed as a required binary).
Credentials
The skill declares no required environment variables or credentials. The templates mention a local proxy (127.0.0.1:7890) in MEMORY.md as an example, but the skill does not require or attempt to read secrets. No disproportionate credential access is requested.
Persistence & Privilege
always=false (normal) and the skill does not request elevated platform privileges. However, it is designed to run autonomously when invoked and will persist state and modify files under the agent workspace (memory/, HEARTBEAT.md, MEMORY.md, todo.db). That capability is expected for an autopilot skill but increases the impact of any bug or malicious content in the delegated todo-management skill.
Assessment
This skill is internally coherent for creating an autonomous, heartbeat-driven agent, but take these precautions before installing or enabling autonomous runs:
- Inspect the todo-management skill code that init.sh will copy (check the source directories mentioned: $HOME/.openclaw/workspace/skills and the global npm path). The autopilot delegates task execution to todo-management and will execute todo.sh commands.
- Run init.sh in a disposable/test workspace first (not a production workspace) to observe what files it creates and what commands run. Back up any important workspace before running.
- Ensure you have npm available if you expect the script to locate a global skills folder; otherwise provide the todo-management skill manually.
- Review HEARTBEAT.md, MEMORY.md and report-state.json templates to confirm reporting cadence and that no external endpoints or credentials are accidentally baked in.
- Be comfortable with autonomous agents creating/updating files and tasks without prompting you; if not, keep the skill user-invocable only and do not enable automated heartbeat runners.
If you want a deeper review, provide the todo-management skill content and any environment where the agent will run so I can check for commands that reach network endpoints, execute external binaries, or access credentials.Like a lobster shell, security has layers — review code before you run it.
agentvk976mb3fy1abgzkkk0rwd6q1p181nzjjautomationvk976mb3fy1abgzkkk0rwd6q1p181nzjjlatestvk97ay4dy8a50mp0mavrmx5gjc581nc77todovk976mb3fy1abgzkkk0rwd6q1p181nzjjworkflowvk976mb3fy1abgzkkk0rwd6q1p181nzjj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🚀 Clawdis