Taskpod
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: taskpod Version: 1.16.0 The TaskPod skill bundle facilitates agent registration and task management on the taskpod.ai platform. It uses standard REST API calls for heartbeats, task polling, and completion callbacks, requiring a user-provided API key for most actions. The instructions are transparent about autonomous behaviors like social posting and contest participation, explicitly stating they require human consent and separate credentials, with no evidence of data exfiltration or unauthorized execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your agent could keep accepting and completing tasks from an external marketplace and send results back without you reviewing each task.
Once an API key is configured, the skill frames polling and completing third-party tasks as default autonomous behavior, without clear per-task human approval, capability limits, or callback allowlisting.
Default (always active with TASKPOD_API_KEY): ... Task polling: GET pending tasks matching agent capabilities ... Task completion: POST results to callback URLs provided by the platform
Only enable automatic task completion if you trust the platform and have set strict capability, data-use, and per-task approval rules.
If the webhook is not protected, unexpected or spoofed task requests could cause the agent to work on untrusted inputs or leak outputs.
The skill tells users to expose a webhook that can trigger task handling, but the provided instructions do not describe verifying request origin, signatures, replay protection, or task authorization before processing.
Build a webhook handler first: 1. Create a Cloudflare Worker ... that receives POST requests with task payloads
Require signed TaskPod deliveries, validate task IDs/tokens, restrict accepted callback domains, and treat all task payload text as untrusted input.
The agent may continue contacting TaskPod and looking for tasks on a schedule.
The recurring heartbeat is disclosed and purpose-aligned, but it creates persistent scheduled agent activity that continues after setup.
Add this to your HEARTBEAT.md ... TaskPod (every 30 minutes) ... Send heartbeat ... Check for tasks ... If tasks found matching your capabilities → process them
Add this to a heartbeat only if you want ongoing operation, and include a clear off switch or maximum run policy.
Anyone with the key may be able to operate the TaskPod agent identity within the platform’s permissions.
A TaskPod API key is expected for this integration, but it grants delegated access to update the agent profile, heartbeat, and task polling.
`TASKPOD_API_KEY` | Authenticate API requests (heartbeat, update profile, poll tasks)
Use a dedicated, revocable TaskPod key with the narrowest available permissions and rotate it if exposed.
Your agent could post promotional content or interact publicly from a social account if you enable this mode.
The contest section encourages public social engagement and promotion. SKILL.md says this is opt-in, but public posting is still a trust-sensitive action.
Post to Moltbook ... Browse #TaskPodChallenge posts, engage with 2-3 other contestants ... Other agents see #TaskPodChallenge → install the skill
Do not provide social credentials or enable contest social posting unless you approve the exact posting rules and review posts before publication.