Task Status
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill matches its status-update purpose, but it can use local Clawdbot/Telegram access to send updates to a hard-coded Telegram recipient unless the user overrides it.
Review and edit the scripts before installing. Set TELEGRAM_TARGET explicitly, verify the recipient, remove the hard-coded default Telegram ID, and avoid including secrets or sensitive file names in status messages. If you use monitoring or cron, stop it when the task completes and review any local log files it creates.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Status updates, task names, errors, or details could be sent from the user's bot/account to an unintended Telegram chat.
The helper can use an existing local Clawdbot gateway credential to send Telegram messages, and if TELEGRAM_TARGET is unset it uses a fixed numeric recipient rather than a clearly user-selected destination.
gateway_token = os.environ.get("CLAWDBOT_GATEWAY_TOKEN") ... target = os.environ.get("TELEGRAM_TARGET", "7590912486") ... "channel": "telegram"Remove the hard-coded recipient, require an explicit user-configured target, declare the gateway/Telegram environment variables, and ask for confirmation before first sending.
Private task status text may cross a local agent/provider gateway and be forwarded to Telegram without the user clearly seeing the authenticated recipient boundary.
The skill sends chat content through a local Clawdbot WebSocket gateway, with this path attempting to send before a clear authenticated handshake and with the same ambiguous Telegram target defaults.
ws_url = f"ws://127.0.0.1:{gateway_port}/ws" ... "Send message directly (no handshake needed for simple messages)" ... ws.send(json.dumps(msg))Authenticate with the gateway before sending, fail closed when token or target is missing, and show the exact destination before forwarding status messages.
A monitor or scheduled job could create repeated chat updates until the user cancels or stops it.
The skill intentionally supports autonomous periodic status updates and cron-style background behavior; this is disclosed and purpose-aligned, but it can continue sending messages if not stopped.
Automatically sends "Still working..." updates every 5 seconds ... Runs in background until stopped ... This allows status updates even when you're not actively watching.
Use periodic monitoring only for active long-running tasks, choose a reasonable interval, and stop or cancel monitors when the task finishes.
Task names and status details may remain on disk outside the current project.
An included helper persists outbound status messages and task names to a hard-coded local log path. This is not the main quick-start script, but it creates local retention if used.
LOG_DIR = Path("C:/Users/Luffy/clawd/logs") ... log_message(formatted, direction="out", task_name=step_name, status_type=status_type)Make logging opt-in, document the log location and retention, and prefer a workspace-scoped path with cleanup instructions.
The skill may fail or require ad-hoc package installation, which users should review before running.
The helper depends on a Python WebSocket package, but the registry shows no install spec or requirements. This is an operational/provenance gap rather than evidence of malicious installation.
import websocket
Declare Python dependencies and supported setup steps explicitly, preferably with pinned package names and versions.