ClawHub

TaskFlow 3.0

Security checks across malware telemetry and agentic risk

Overview

TaskFlow appears to be a real project scheduler, but it gives agents broad autonomous authority to read local workspace data and publish externally without clear approval controls.

Install only if you intentionally want an autonomous scheduler that can read local OpenClaw workspace and intel files, persist logs/history, edit project configuration, and post to external platforms. Review every PROJECT.yaml, keep secrets out of referenced workspace folders, restrict paths to known project directories, and require manual approval before any browser-based publication.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill instructs an agent to read and write workspace files, execute shell commands, and potentially interact with external targets, but it declares no explicit permissions or guardrails. This creates a confused-deputy risk where a caller may treat the skill as low-privilege while it can actually perform sensitive operations across the filesystem and network.

Tp4

High
Category
MCP Tool Poisoning
Confidence
86% confidence
Finding
The documented purpose is a bounded project workflow runner, but the behavior described by analysis includes broader status inspection, config editing, external state reads, and planning logic not reflected in the declared description. This mismatch undermines operator trust and makes it harder to reason about what data the skill may access or what side effects it may cause.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The path resolution rules explicitly allow absolute paths and home-directory paths, even though the skill is framed as operating within a project-root workspace. That permits a project configuration to direct the agent to read or write files outside the intended project boundary, enabling sensitive file access or modification if a malicious PROJECT.yaml is supplied.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The scheduler reads data from a separate global intel workspace outside the declared project root and scheduling scope. In an agent setting, this broadens data access and can leak or couple unrelated sensitive information into prompts and downstream decisions, violating least-privilege boundaries.

Vague Triggers

Medium
Confidence
75% confidence
Finding
The activation condition is broad enough that the skill may run in response to loosely related requests such as generic project execution or scheduler events. In an agent setting, vague invocation criteria increase the chance of unintended file access, workflow execution, or persistent modifications without a clearly scoped user request.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide directs the agent to write execution data into workspace files without clearly warning the user that invoking the skill will persistently modify project state. Hidden or under-disclosed writes are dangerous in agent workflows because users may expect read-only assistance but instead get durable changes that affect future automation and auditing.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Appending to a global workspace log creates persistent cross-project state outside the individual project directory, but the documentation does not prominently warn about this side effect. That broadens the blast radius of using the skill and may expose project identifiers, statuses, or operational metadata to other workflows or users with workspace access.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal