ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Long Run Mode

v0.1.4

Long-task execution protocol for sustained multi-step work. 当用户明确说“长任务模式”或“进入长任务模式”时触发。除这类口令外,其他任何表达——包括“继续”“接着来”“往下做”“一直做,不停”“持续推进”“不要停下来问”——都不触发长任务模式,只按普通任...

0· 40·0 current·0 all-time
by@ffffff9331
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name, description, SKILL.md, and scripts are coherent: the package implements a long-run/task-heartbeat/watchdog protocol and helper scripts for building messages and recovery plans. However the published metadata claims no required config paths or credentials while the code reads/writes a local state file (skills/long-run-mode/.task-state.json) and — unless overridden — will try to read the user's OpenClaw sessions index (~/.openclaw/agents/main/sessions/sessions.json). The mismatch between declared requirements (none) and actual accesses to user session data and an external 'openclaw' binary is an inconsistency the installer should be aware of.
!
Instruction Scope
SKILL.md instructs the agent/operator to run included Python and shell scripts that will read and update .task-state.json, run watchdog/keepalive flows, construct messages targeted at real session keys, and (optionally) spawn an OpenClaw agent process to send messages into sessions. Those actions go beyond simple in-skill bookkeeping: they access the user's sessions index, may resolve session IDs, and may produce/send messages into real sessions. The instructions do not fully call out the default session-file path or the potential for the skill to invoke the openclaw agent, which is scope creep relative to the metadata.
Install Mechanism
There is no install spec (the package is instruction+scripts only). No external downloads or installers are performed by the skill itself. That lowers supply-chain risk compared to remote downloads. The code does include an example cron install script, but that only prints a crontab entry for users to add manually.
!
Credentials
Metadata declared no required env or credentials, but the code honors and uses several environment variables (OPENCLAW_BIN, OPENCLAW_SESSIONS_FILE, LOG_FILE, LONG_RUN_MODE_AUTO_RESUME). More importantly, by default it will attempt to read a sessions index under the current user home (~/.openclaw/agents/main/sessions/sessions.json) to resolve session IDs. Accessing that file exposes session identifiers and mapping used to target messages; spawning the OpenClaw agent uses the local 'openclaw' binary and can resume sessions. Those capabilities amount to access to messaging targets and the ability to deliver messages into them — a material privilege that is not clearly declared in the skill metadata.
Persistence & Privilege
The skill writes/updates a persistent state file (.task-state.json) inside the skill tree and manages an 'active_long_runs_by_session' lock table; it also provides scripts intended to be run regularly (cron) and can spawn background openclaw agent processes when auto-resume is enabled. The package does not request 'always: true' and doesn't modify other skills' configs, but its persistent state and optional cron usage mean it can have long-term presence and side effects on user sessions if enabled.
What to consider before installing
This skill appears to implement a legitimate long-task/watchdog protocol, but pay attention to these points before installing or enabling it: - Metadata underreports what the code does: it will create and update a local state file (skills/long-run-mode/.task-state.json) and — unless you override paths — read your OpenClaw sessions index (default: ~/.openclaw/agents/main/sessions/sessions.json). That sessions file maps session keys to session IDs and is sensitive because the skill can use it to target messages. - The scripts can spawn the 'openclaw' agent to resume or send messages. Automatic resume only happens if you set LONG_RUN_MODE_AUTO_RESUME=1, but other scripts produce payloads and plans that an operator or automation could execute. Do not set LONG_RUN_MODE_AUTO_RESUME unless you trust the code and its behavior. - Recommended precautions before using: - Inspect the full repository code yourself (or have a trusted person do so). Key entry points: run_keepalive_once.py, run_watchdog_once.py, emit_*.py, task_state.py, and any cron lines you would install. - Run the scripts in a safe / isolated environment first (not on a production agent). Confirm where .task-state.json will be written and what it contains. - Do not enable LONG_RUN_MODE_AUTO_RESUME in production until you verify resolve_session_id behavior and that session resolution will not target unintended sessions. If you want to test, set OPENCLAW_SESSIONS_FILE to a controlled test sessions file. - If you do not want the skill to access your real sessions index, set OPENCLAW_SESSIONS_FILE to an explicit path you control (or ensure it doesn't exist) and do not give it OPENCLAW_BIN that points to a live agent binary. - Avoid adding the suggested cron entry until you are comfortable with its behavior and have reviewed logs. The install script only prints a crontab line — adding it is a separate manual action. Given the mismatch between declared metadata and actual file/agent access, treat this skill as potentially impactful to your messaging sessions and audit accordingly.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c6egwrh6dcnvkxj7a858y9h843qr7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments