Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
OpenClaw Task Scheduler
v1.0.0Task queue management with WebSocket real-time updates. Schedule, monitor, and control background tasks. Supports immediate, scheduled, and recurring tasks w...
⭐ 0· 40·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (task queue with WebSocket and persistence) roughly matches the included code: a TaskScheduler implementation and a CLI. However the SKILL.md describes additional modules (websocket.py, persistence.py, task.py, queue.py) and example files that are not present in the file manifest. That is an incoherence between claimed capabilities and the actual package contents.
Instruction Scope
Runtime instructions tell the agent/user to run the included CLI and daemon and to use a WebSocket client on ws://localhost:8080. The SKILL.md also lists tools including exec/read/write/cron — which grants broad agent actions. The provided scripts call only local Python code, but the documentation references WebSocket/persistence behavior that isn't visible in the provided files; you should inspect the remainder of scheduler.py (truncated in the scan) for any network endpoints, file I/O, or external calls before running.
Install Mechanism
No install specification is provided (instruction-only skill with included code). requirements.txt lists reasonable dependencies (websockets, python-crontab, aiosqlite) as comments. No downloads or external install URLs are used.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. The code shown does not access environment secrets. This is proportionate to a local task scheduler.
Persistence & Privilege
The skill is not 'always: true' and does not request elevated agent privileges. However SKILL.md promises persistence (./tasks.db, persistence module) while the CLI as packaged creates ephemeral TaskScheduler instances per command and the persistence implementation is not visible in the provided files. Confirm how state is stored and whether it writes to disk when running the daemon.
What to consider before installing
What to check before installing or running this skill:
- The documentation and architecture list modules (websocket.py, persistence.py, task.py, queue.py, examples/) that are not present in the package; ask the publisher for the missing files or inspect the full scheduler.py for the missing functionality.
- Review the remainder of lib/scheduler.py (the scan truncated save_state and possibly other functions) to confirm there are no unexpected network endpoints, hardcoded remote hosts, telemetry, or code that reads arbitrary files or environment variables.
- Confirm how persistence works: SKILL.md mentions tasks.db and persistence.py, but the CLI as provided constructs an in-memory TaskScheduler for each command — test whether starting the daemon actually persists tasks and where files are written.
- The SKILL.md lists 'exec' among allowed tools and shows running the daemon and using wscat; running the daemon will open local ports (default ws://localhost:8080). Only run in a safe environment if you don't want a local service listening on ports or writing files.
- Inspect requirements (websockets, python-crontab, aiosqlite) and install them from trusted sources, and run the daemon in an isolated environment (container or VM) first to observe behavior.
If you want, I can (1) show the remainder of the truncated scheduler.py for further review, (2) search the codebase for any network calls or file-write APIs, or (3) produce a short checklist to run the daemon safely in a sandbox.Like a lobster shell, security has layers — review code before you run it.
latestvk978mnz28pmg3atz0ty9qkkn2h843tc1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.