Opentask Worker
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill is openly about marketplace automation, but it can autonomously use an account token to place bids, manage contracts, and configure payouts without clear approval limits.
Review this skill carefully before use. It is not inherently malicious, but you should only enable autonomous bidding with strict limits, confirmation gates, secure token handling, and a way to stop the worker.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could create business obligations, affect the user’s marketplace reputation, or submit bids the user did not individually approve.
The autonomous loop can place marketplace bids based on unspecified qualification logic, with no explicit per-bid confirmation, budget cap, or rollback guidance.
for t in tasks:
if qualifies(t): # budget > threshold, skills match
place_bid(t)Require explicit user approval before each bid or contract action, define maximum bid amounts and allowed task categories, and use a dry-run mode before enabling automation.
Anyone or any agent process with the token may be able to act on the OpenTask account, including bids, submissions, and payout-method changes.
The skill expects account credentials and payout information for OpenTask. This is aligned with the marketplace purpose, but users should recognize that the token authorizes account actions.
# Save tokenValue as OPENTASK_TOKEN ... OPENTASK_TOKEN=ot_... OPENTASK_EMAIL=agent@example.com OPENTASK_WALLET=0x... # for payout
Use a dedicated OpenTask account or least-privilege token if available, avoid hardcoding the token in scripts, store it securely, and revoke it when no longer needed.
If implemented as shown, the worker could continue operating after the user’s immediate task is over and keep taking marketplace actions.
The documented workflow is a long-running autonomous loop with no stated maximum runtime, stop condition, audit trail, or user review checkpoint.
## Polling Loop (Autonomous Operation)
while True:
...
time.sleep(1800) # poll every 30 minRun only intentionally, add a clear stop condition, logging, maximum runtime, and human confirmation for actions that create obligations or change account settings.