Task Father
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: task-father Version: 0.1.0 The skill bundle is classified as suspicious due to its capability to schedule arbitrary AI agent prompts via cron jobs. The `scripts/task_father.py` script uses `subprocess.run` to execute `openclaw cron add` with a user-provided `--message` argument. While the script itself does not craft malicious prompts, this functionality allows a user or a compromised upstream agent to inject arbitrary instructions into future agent tasks, posing a significant prompt injection risk against the agents that will execute these scheduled cron jobs. There is no evidence of direct data exfiltration, shell injection, or other malicious intent within the provided code.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted cron name could overwrite or remove local JSON files the agent can access, not just the intended cron spec.
The cron name is user-controlled and is not slugified or checked before being used as a filesystem path, so path separators or an absolute path can write or delete .json files outside the task's crons directory.
s.add_argument("--name", default=None) ... (task_dir / "crons" / f"{name}.json").write_text(...) ... spec = task_dir / "crons" / f"{name}.json"; if spec.exists(): spec.unlink()Validate cron names with the same slug rules as task slugs, reject absolute paths and '..', resolve the path, enforce it remains inside the task's crons directory, and require explicit confirmation before deletion.
A scheduled job can continue prompting an agent on a recurring schedule until it is removed.
The helper intentionally creates scheduled OpenClaw cron jobs that deliver user-provided messages to the configured agent. This is purpose-aligned, but it is persistent autonomous activity.
"openclaw", "cron", "add", "--name", name, "--cron", cron_expr, "--agent", spec["agent"], "--message", message, "--no-deliver"
Create cron jobs only with explicit user intent, keep prompts narrowly scoped, inspect scheduled jobs periodically, and remove them with cron-rm when the task is finished.
Sensitive details or untrusted instructions placed in these files can persist and influence later work.
The skill intentionally stores durable task context and queue state in files that future agents may read or reuse.
`TASK.md` (front matter + purpose/decisions/blockers/changelog + capabilities) ... optional queue-state files (`queue.jsonl`, `done.jsonl`, `failed.jsonl`, `lock.json`)
Do not store secrets in task files, review or sanitize task docs and queues before using them as context, and clean up stale tasks when they are no longer needed.