Task Runner
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Task descriptions may remain available to future sessions, so sensitive information or instruction-like text in tasks could be shown back to the agent later.
The skill intentionally stores task descriptions persistently across conversations; this is central to the stated purpose, but stored text can resurface in later sessions.
Tasks survive session restarts (stored in `~/.openclaw/workspace/tasks_db.json`)
Use it for ordinary task text, avoid storing secrets or credentials, and treat listed task descriptions as data rather than authoritative instructions.
If an export path is chosen poorly, the skill could overwrite an unintended local file with the task report.
The export command writes markdown to a user-supplied path under the workspace, home directory, or /tmp; this is disclosed and purpose-aligned, but it can create or overwrite local files in those areas.
allowed = (in_workspace or in_tmp or in_home) and not blocked ... output_path.write_text(md)
Export to clear workspace or project filenames, avoid dotfiles and configuration directories, and confirm before overwriting existing files.