Agent Autopilot
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: agent-autopilot Version: 1.4.1 The skill bundle instructs the AI agent to execute shell commands, specifically `bash {todoBaseDir}/scripts/todo.sh ...`. While this is necessary for its stated purpose of task management, the template `bash {todoBaseDir}/scripts/todo.sh entry create "..." --group="{项目名}"` in `SKILL.md` and `HEARTBEAT.md` presents a shell injection vulnerability. If the AI agent, when autonomously creating new tasks, generates a `{项目名}` value from untrusted input or its own analysis that contains shell metacharacters, this could lead to arbitrary command execution. This is a significant risk, even if not intentionally malicious by the skill developer. The skill also grants the agent broad file system and `git` access, which, while necessary for its function, increases the attack surface if the agent is compromised or misdirected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may keep taking actions over time without a fresh user request, which can be risky if the agent has file, code, account, or deployment tools available.
The skill explicitly instructs the agent to act on every heartbeat, avoid normal idle acknowledgement, decide next steps itself, and continue until the goal is achieved.
每次收到 heartbeat 时,立刻开始工作,不要回复 HEARTBEAT_OK... 不要停下来问上级该做什么,自己判断下一步... 永不空转。每次 heartbeat 都必须推进项目。目标未达成就不停。
Use only in a dedicated workspace with explicit goals, stop conditions, and confirmation requirements for file changes, commits, deployments, purchases, or external account actions.
A completed task list may not stop the agent; it can expand the work on its own and continue operating beyond what the user originally enumerated.
The workflow changes the agent's stopping condition by telling it to create new tasks and keep going when the current task list is complete.
全部完成但目标未达成 → 分析项目现状,自主创建新任务,继续推进
Define a hard project boundary, require user approval before creating new categories of work, and add a clear condition for when the agent must stop.
Bad or mistaken log content could be promoted into long-term memory, and important memory entries could be removed, affecting future agent behavior.
The skill directs the agent to regularly rewrite persistent memory from logs and remove old memory entries, without safeguards for preserving user-approved rules or filtering untrusted content.
读取自上次维护以来的 memory/YYYY-MM-DD.md 日志... 提炼写入 MEMORY.md... 清理 MEMORY.md 中已过时的信息... 记忆维护不能跳过
Back up MEMORY.md, restrict which logs can influence memory, and require review before changing core rules, credentials, policies, or long-term decisions.
If copied into an agent with broad tool permissions, the agent could make code or repository changes without explicit review at each step.
The example memory rules encourage automatic commits and use of external coding/documentation tools as part of the autonomous workflow.
项目进行到一定阶段自动 git commit... 写代码 → Codex CLI(rayinai接口)... 写文档 → Claude Code(pengui接口)... 调用工具干活
Treat these example rules as optional; add approval gates for commits, code generation, external CLIs, network operations, and any action outside the current project folder.
The copied dependency will affect task management behavior; if the local/global copy is modified or untrusted, that behavior carries into the autopilot workspace.
The init script copies the todo-management dependency from an existing local or global installation rather than fetching or pinning a reviewed version.
cp -r "$MAIN_WORKSPACE/skills/$TODO_SKILL" "$WORKSPACE/skills/$TODO_SKILL" ... GLOBAL_SKILLS="$(npm root -g 2>/dev/null)/openclaw/skills/$TODO_SKILL"
Inspect the todo-management skill before copying it and prefer a known, reviewed version.