ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Async Task

v0.1.0

Run and manage long tasks exceeding HTTP timeouts by starting, updating, and completing them asynchronously with immediate responses.

1· 2.9k·11 current·13 all-time
by@enderfga
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/behavior match: the skill implements start/done/push/status commands, auto-detects OpenClaw/Clawdbot CLI sessions, and optionally posts to a custom HTTP endpoint. It does not request unrelated credentials or system access.
Instruction Scope
SKILL.md instructs only to run the async-task CLI, optionally configure a push endpoint, and to pair start/done; the runtime instructions and examples stay within the stated purpose and do not direct the agent to read unrelated host files or credentials.
Install Mechanism
There is no automated install spec in the registry (instruction-only). SKILL.md suggests manual npm install/git clone or copying the script to PATH — user-executed steps only. The included code is plain JS from a GitHub repo; no opaque download URLs or automatic extraction are present.
Credentials
Only optional env vars are documented (OPENCLAW_SESSION, ASYNC_TASK_PUSH_URL, ASYNC_TASK_AUTH_TOKEN, and state-dir fallbacks). These are proportionate to the feature set. The script writes a small state file under a per-user directory (default ~/.openclaw), which is expected for tracking tasks.
Persistence & Privilege
Skill is not always-loaded and does not request elevated privileges. It persists a local state file in the user's home directory (normal for a CLI helper) and does not modify other skills or global agent configuration.
Assessment
This skill appears coherent with its purpose and is implemented as a simple CLI wrapper. Before installing: (1) Inspect async-task.js yourself (it's included) and only copy it to system PATH if you trust it. (2) Be cautious if you set ASYNC_TASK_PUSH_URL — messages (sessionId and content) will be POSTed to that endpoint, so do not point it at untrusted servers or leak sensitive output there. (3) The tool uses your openclaw/clawdbot CLI when available; ensure that CLI is configured correctly. (4) The script stores state under ~/.openclaw by default; if that is a concern, configure OPENCLAW_STATE_DIR. Overall this is internally consistent and doesn’t request unrelated secrets.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fsrwgd3fny335t8xs11z04980btc0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments