ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cancel Dispatch Run

v0.1.1

Cancel an active interactive dispatch run by run-id from slash command cancel. Use when user wants to stop a dispatchi or ralph-loop task immediately.

0· 394·1 current·1 all-time
byXi ErDe@edxi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the implementation: the script locates a run directory, reads task metadata, sends tmux keystrokes to request a cancel and exit, kills the tmux session, and updates local metadata. The optional env keys (RESULTS_BASE, TMUX_SOCKET_DIR) are appropriate for locating results and tmux sockets.
Instruction Scope
The SKILL.md simply instructs running the provided script, and the script stays within the described scope (reads allowlisted env keys only, acts on the resolved tmux session, updates local metadata). Two practical caveats: the script requires external binaries (tmux, jq, find/date are used) which are not declared in the skill metadata, and killing a tmux session is inherently destructive if the session name in task-meta.json is incorrect or has been tampered with. The SKILL.md does document the env file and allowlist behavior, which matches the script.
Install Mechanism
No install spec (instruction-only with an included script) — nothing is downloaded or written by an installer. Risk is limited to local script execution.
Credentials
The skill does not request secrets or credentials. It reads an optional local env file but explicitly only exports two allowed keys (RESULTS_BASE, TMUX_SOCKET_DIR). That is proportionate to its purpose.
Persistence & Privilege
always:false and no persistent presence requested. The script only updates its own run metadata file and does not modify other skills or global agent settings.
Assessment
This skill appears to do what it says: cancel a run by sending tmux keystrokes and updating local metadata. Before installing or running it: 1) Verify you have the required system utilities (tmux and jq) available on the agent host — the metadata does not declare these dependencies. 2) Confirm RESULTS_BASE and TMUX_SOCKET_DIR (or the dispatch.env.local file) point to the expected paths and are readable only by trusted users. 3) Inspect task-meta.json files in your results directories to ensure tmux_session/tmux_socket_name values are correct and not maliciously modified; the script will kill the referenced tmux session. 4) Because the script kills tmux sessions, run it only when you intend to terminate that session. The skill does not contact external networks or request secrets, which limits its blast radius.

Like a lobster shell, security has layers — review code before you run it.

latestvk979d4342n118q6cftsbst3h5981zryj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments