Skillv1.0.0

ClawScan security

Farm Task Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 12, 2026, 11:35 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and docs generally match a local task-manager purpose, but there are inconsistencies and signs of sloppy packaging (missing install instructions / CLI wiring, truncated/possibly-broken script) that warrant caution before installing.
Guidance: This skill appears to be a local task manager that stores tasks under ~/.openclaw/workspace/farm-task-manager and does not request credentials or network access — that part is coherent and low-risk. However: (1) SKILL.md shows using a 'farm-task' CLI but the package contains only a Python script and no install/packaging instructions, so the CLI may not be available as described; (2) the provided script in the manifest appears truncated/unfinished (there's an incomplete reference to 're' and the file listing is truncated), which likely causes runtime errors; (3) metadata lacks a homepage or descriptive information about the author. Before installing, ask the publisher for a full release or install instructions (a packaged binary, a setup/entrypoint, or instructions to symlink the script to a 'farm-task' command). If you want to test it now, run the script in a sandbox or VM and inspect the full script (look for any network calls or unexpected file writes) and run unit/manual tests. Avoid providing any credentials and do not run it with elevated privileges until you confirm the complete code and install steps.

Review Dimensions

Purpose & Capability: noteName and SKILL.md describe a local farm task manager and the included Python script implements local JSON-backed task storage under ~/.openclaw/workspace/farm-task-manager — this is coherent. However the documentation shows invoking a 'farm-task' CLI but the bundle provides a Python script without an install spec or instructions to expose a 'farm-task' command, creating a usability mismatch. The registry metadata also lacks a description/homepage which reduces transparency.
Instruction Scope: okSKILL.md and the script operate on local files only and declare that writes are confined to the user's home and the skill workspace. There are no network endpoints, embedded secrets, or instructions to read unrelated system files in the visible content. The script includes path validation to block common system and sensitive dotfiles.
Install Mechanism: noteThere is no install spec (lowest install risk). That said, a runnable script is included but no instructions on installing/exposing the 'farm-task' CLI are provided. This gap is a packaging/integration concern: it's unclear how the agent or user is expected to run the commands shown in SKILL.md.
Credentials: okThe skill requests no environment variables or external credentials, and the code works with only local filesystem access. The requested privileges are minimal and appropriate for a local task manager.
Persistence & Privilege: okFlags show normal defaults (not always:true). The skill stores data in its own workspace directory (~/.openclaw/workspace/farm-task-manager/tasks.json). It does not request system-wide config or modify other skills.