Skillv1.0.6

ClawScan security

Async Queue · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 8:58 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and docs largely match the described purpose (a local file-backed delayed-task queue), but there are a few mismatches and assumptions (HTTP auth/port assumptions, a hard-coded default agent name, and a persistent launchd daemon) that need clarification before trusting it.
Guidance: This package appears to implement a local delayed-task queue as described, but review a few items before installing: - Authentication & port assumptions: daemon.js POSTs to 127.0.0.1:18789 with no auth headers while the plugin route declares auth: "plugin". Confirm how your OpenClaw gateway exposes plugin HTTP routes and whether unauthenticated localhost POSTs are accepted. If your gateway requires tokens, the daemon will fail unless adapted. - Port binding is assumed (18789). Verify your OpenClaw instance listens on that port or update daemon.js accordingly. - Persistent daemon: running the provided install.sh will copy files into ~/.openclaw and register+load a launchd job that auto-starts on login and restarts on crash. Only run the install script if you accept a persistent process running under your user account. - Files & permissions: the queue file (queue.json), history, and logs live in your home directory. Inspect their contents and set restrictive file permissions if needed to prevent other local users from inserting tasks. - Default agent name: push.js falls back to a hard-coded default agent 'marcus' if no config is present. If you don't specify --to and don't set config.json, queued tasks may target that account; consider editing config.json or the code to set the desired default. - Review the plugin code: it enqueues system events and calls requestHeartbeatNow to wake agents — this is needed for the feature but is a capability you should be comfortable granting. Ensure only trusted local processes can write to the queue.json or call the plugin endpoint. If you want to proceed safely: (1) audit the files in the package, (2) run the install.sh inside a controlled user account (not root), (3) verify the plugin endpoint and its auth model on your OpenClaw gateway, and (4) consider changing the default agent and tightening filesystem permissions on ~/.openclaw/queue.

Review Dimensions

Purpose & Capability: okName/description align with what the package installs: a file-backed queue, a daemon to poll queue.json, a push CLI, a queue-cli, and an OpenClaw plugin that wakes agents. The files present (daemon.js, push.js, plugin code) are consistent with the stated functionality.
Instruction Scope: concernThe runtime instructions and code assume the daemon can POST to an OpenClaw plugin HTTP endpoint at 127.0.0.1:18789 with no authentication headers; the plugin declares route auth: "plugin". It's unclear whether the OpenClaw HTTP layer will accept unauthenticated local posts or if additional auth tokens are required. The daemon also hard-codes port 18789 and expects the plugin to be reachable there — this is an external assumption not enforced in the plugin code. Also push.js falls back to a hard-coded default agent name ('marcus') if no config is present; that default may cause tasks to be directed to an unexpected agent if a user doesn't supply --to or a config.
Install Mechanism: okNo remote downloads or installers — install.sh copies packaged files into the user's home (~/.openclaw), writes a launchd plist, and runs launchctl load. All code is included in the skill bundle, which is the lowest-risk install type short of being instruction-only. The script does start the daemon immediately via launchctl when run.
Credentials: okThe skill requests no environment variables, credentials, or external services. Files are written under the user's home (~/.openclaw/queue and ~/.openclaw/extensions/queue-wake). No unrelated secrets or system credentials are requested.
Persistence & Privilege: noteThe install script installs a launchd job and loads it so the daemon runs persistently (RunAtLoad + KeepAlive). This is expected for a background queue, but installing a persistent daemon is a privileged change to the user's environment and should be done consciously. The skill is not force-included (always: false) and does not request elevated system-wide privileges beyond the user's own home directory and launchd entry.