ClawHub

Task Resume

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate task-continuity skill, but it persistently stores cross-session task context and includes under-scoped automatic resume, watchdog, and log-recovery behavior that users should review before installing.

Install only if you want agents to persist task details across sessions and potentially resume work automatically. Avoid storing secrets in titles, context, acceptance criteria, or recovered logs; restrict recovery to real OpenClaw session logs; inspect or clear memory/task-resume-queue.json regularly; and enable watchdog or cron behavior only with explicit scope, time limits, and a clear stop condition.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill performs file reads and writes to persistent queue and log files but does not declare those capabilities or warn users that task context will be stored on disk. Hidden persistence is risky because interrupted-task context may contain sensitive user data and may be shared across sessions without informed consent. In this skill's context, the danger is increased because the storage is explicitly cross-session and automatic.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The watchdog section expands the skill from passive task resumption into autonomous background execution with recurring progress messages and automatic continuation. That can cause the agent to take actions without a fresh user request, potentially operating on stale context, creating unwanted side effects, or spamming users. The risk is higher here because the behavior is framed as required for users wanting auto-continue, but there is no strict opt-in, permission boundary, or action limitation.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The recommended policy treats nearly any non-explicit interruption as eligible for auto-enqueue and later auto-resume. In an agent workflow, that broad trigger can cause the system to resume prior work without sufficiently clear user consent or situational validation, creating unwanted actions, context confusion, or continuation of stale tasks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README prominently describes persisting interrupted-task context, acceptance criteria, source, session metadata, and recovery from session logs to disk, but only later gives a brief operational note to avoid secrets. That makes it easy for operators to store sensitive conversation or task data in a workspace-global file shared across sessions, increasing privacy and data exposure risk.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation description is broad enough to trigger on ordinary discussion about resuming work, interruptions, or context switches, increasing the chance the skill activates without clear user intent. In this skill, accidental activation matters because it can immediately write task context to shared persistent storage and alter task flow.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Treating nearly all topic switches as interruptions creates an aggressive default that can capture and persist context when the user simply changes subject temporarily or asks a clarifying question. Because this skill auto-enqueues at message time, a false interruption can silently store sensitive work details and distort the user's workflow across sessions.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill uses a workspace-global shared queue file across main, clone, and group sessions but does not provide a clear user-facing warning or consent flow for persistent cross-session storage. This is dangerous because task titles, context, acceptance criteria, and session identifiers may be exposed beyond the originating conversation, increasing privacy and data-leak risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill omits a user-facing warning that cron/watchdog logic may continue work and send periodic status messages automatically. Users may not expect autonomous follow-up after the conversation ends, which can lead to unapproved actions, unexpected notifications, and continued processing of sensitive tasks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The recovery flow accepts an arbitrary `--log` path, reads the file, and persists the last 8 lines into the shared queue file without validating the path or limiting recovery to approved session-log locations. In this skill context, session logs may contain prompts, secrets, tokens, or sensitive user content, so this can unintentionally exfiltrate local file contents into a durable memory artifact that may later be surfaced to the agent or user.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal