ClawHub

smarter-task-planner

Security checks across malware telemetry and agentic risk

Overview

This task-planning skill is mostly coherent, but it needs review because it writes persistent task memory and contains real path-scoping and heartbeat script-location issues.

Install only if you want an agent to create .openclaw workspace folders and persist task summaries automatically. Review or patch the heartbeat template before enabling it, avoid sensitive secrets in task notes, and use only simple task IDs without slashes, absolute paths, or .. traversal segments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill clearly instructs shell execution, filesystem reads/writes, and environment-dependent behavior, yet it declares no permissions or user-consent boundaries. This creates a capability transparency gap: the agent may perform side-effecting operations such as creating directories and writing checkpoints without the user understanding that code execution and persistent filesystem modification will occur.

Intent-Code Divergence

Low
Confidence
80% confidence
Finding
The file presents itself as a simplified 'safe' writer, but it conditionally executes an external Python script from disk if present. That creates a trust-boundary issue: a reviewer or caller may believe they are invoking this PowerShell implementation, while control is silently transferred to another file whose behavior may differ or be modified.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script constructs `task_output_dir = OUTPUT_DIR / task_id` and then writes `.task-meta.json` beneath it without validating or normalizing `task_id`. If an attacker can supply values like `../../otherdir`, they can cause metadata writes outside the intended workspace subtree, potentially overwriting files the process can access. In the context of a task-planning skill that routinely handles user-controlled task IDs and persists state, this is a realistic path traversal risk rather than a theoretical issue.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The guide for the 'smarter-task-planner' skill hardcodes a different skill path, 'workspace-organizer', when locating and executing a recovery script. This can cause the heartbeat mechanism to run code from an unintended skill directory, creating a trust-boundary violation and enabling accidental or malicious execution of the wrong script if that other skill is present or replaced.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger list includes broad everyday phrases such as task management and work organization terms that are likely to appear in normal conversation. Overly generic triggers can cause unintended activation of a skill that performs shell commands and filesystem writes, leading to surprising side effects and possible workspace pollution or unsafe command execution chains.

Vague Triggers

Medium
Confidence
90% confidence
Finding
These trigger phrases are ambiguous and lack activation constraints, especially around analysis, research, extraction, and document generation workflows. In context, this is dangerous because the skill does not merely assist semantically; it instructs creating directories and writing persistent checkpoints, so accidental activation can modify the filesystem during otherwise ordinary requests.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow directs the agent to create task directories and immediately write checkpoint data, but it does not provide a clear user-facing warning that persistent filesystem modifications will happen. Because the skill is designed for common workflows like analysis and reporting, users may invoke it expecting planning assistance only, while the skill performs writes and shell execution as a default side effect.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script persists arbitrary user-provided content into workspace memory files and task metadata without clear consent, visibility, or minimization. In an agent skill context, this is more dangerous because prompts, extracted secrets, tokens, personal data, or sensitive task context could be stored on disk and later exposed to other tools, users, or sessions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal