LongTask System

The bundle implements a 'LongTask System' for orchestrating multi-step agent workflows via a background daemon and state-file management. While the behavior aligns with its stated purpose, it contains several high-risk vulnerabilities: the shell scripts (e.g., daemon.sh, notify_agent.sh) are vulnerable to path traversal because they use the 'task_name' argument to construct file paths without sanitization, and cockpit_renderer.py is susceptible to Cross-Site Scripting (XSS) by injecting unescaped JSON data directly into the generated HTML dashboard. Furthermore, the system's core design involves the agent executing arbitrary shell commands defined in task JSON files (as seen in lulu_research_2026-03-24.json), which constitutes a significant risk if task definitions are manipulated.