ClawHub

LongTask System

Security checks across malware telemetry and agentic risk

Overview

This is a coherent long-task automation skill, but it deserves Review because it can run persistent agent orchestration while resetting agent context and rendering untrusted task text into HTML without escaping.

Install only if you are comfortable with a local daemon dispatching agent work from task JSON. Use trusted task files, repeat important user constraints inside every step because /new resets context, monitor the logs and inbox, know how to stop the screen/setsid daemon, and avoid opening generated cockpit HTML for untrusted task content until escaping is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly documents that `consume_inbox.sh` performs a destructive read ('读取即删除') but does not provide a clear warning about irreversibility, recovery limitations, or operator safeguards. In a task orchestration system, silent deletion of queued work can cause message loss, broken auditability, and hard-to-recover failures if an agent crashes after consuming but before completing the step.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The skill states that each subtask will be forcibly executed after a `/new` conversation reset, and only mentions manual script modification as a workaround. Forcing resets without explicit user opt-in can erase safety-relevant context, prior constraints, and task history, increasing the chance of policy bypass, inconsistent behavior, or unsafe execution in long-running automation.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script renders untrusted JSON fields such as task_id, description, step name, and agent_id directly into an HTML document without escaping or sanitization. If an attacker can influence the task file, they can inject arbitrary HTML/JavaScript that will execute when a user opens the generated cockpit.html, creating a stored local XSS-style issue in a browser-viewable artifact.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The task metadata uses a highly ambiguous trigger value, "红运", without any visible scope restriction, namespace, authorization binding, or invocation constraints. If trigger names are used by an orchestration system to start tasks, a broad or guessable activator can enable unintended task execution, collision with unrelated automations, or abuse by other agents/users in the same environment.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal