v1.0.7

结构化任务规划与分步执行 V2（异步子代理架构）

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:25 AM.

Analysis

The skill is openly designed to run background subagents and scheduled monitoring, but that gives it broad ongoing authority and access to local agent session history.

GuidanceReview generated plans carefully before typing ok/确认. Do not approve broad, destructive, or account-changing steps unless you fully intend them. Be aware that this skill can run subagents in the background, create cron heartbeat checks, and read local OpenClaw session history for monitoring. Use timeouts and the documented interrupt command for any task that should not continue running.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Rogue Agents

SeverityMediumConfidenceHighStatusConcern

scripts/MAIN_SESSION_GUIDE.md

sessions_spawn(... cleanup="keep", mode="run") ... 创建子代理后**立即返回**

The skill explicitly launches subagents that continue running asynchronously and keeps their sessions, so work can proceed after the main session has returned.

User impactA confirmed task may keep running in background subagents, potentially continuing actions while the user is doing something else.

RecommendationOnly confirm specific, bounded plans; set timeouts; monitor task status; and use the documented interrupt command if the task should stop.

Tool Misuse and Exploitation

SeverityMediumConfidenceMediumStatusConcern

SKILL.md

使用 sessions_spawn 启动执行子代理 ... task="<步骤 1 的执行 Prompt>"

The generated step prompt is delegated to a subagent for execution. The artifacts require initial user confirmation, but do not show tool-level restrictions, per-step approval, or safeguards for high-impact generated steps.

User impactIf the generated plan includes broad or risky actions, those actions may be delegated to subagents after the initial confirmation.

RecommendationReview every generated step before approving execution, especially steps that modify files, accounts, deployments, or external services.

Agent Goal Hijack

SeverityLowConfidenceMediumStatusNote

SKILL.md

执行结果：{执行子代理的输出} ... 请返回：通过 / 不通过，并说明原因

The verifier subagent is prompted with execution output as context. If that output contains adversarial instructions, it could influence the verifier unless treated strictly as untrusted evidence.

User impactA subtask output could potentially mislead the verification step into passing or failing incorrectly.

RecommendationFor sensitive tasks, manually inspect important outputs instead of relying only on the LLM verification step.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

_meta.json

"permissions": ["read-sessions", "cron", "subagent-spawn"]

The skill declares elevated OpenClaw permissions needed for its design. These are purpose-aligned but materially broaden what the skill can do.

User impactInstalling the skill gives it authority to read session state, create scheduled jobs, and spawn subagents.

RecommendationConfirm that you want these permissions before installing, and remove the skill if you do not need background task orchestration.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusConcern

scripts/stp_orchestrator.py

sessions_file = Path.home() / ".openclaw" / "agents" / "main" / "sessions" / "sessions.json" ... "last_message": str(last_message)[:200]

The script reads the local OpenClaw session index and session files, then returns a snippet of the last message. Agent session history can contain private conversation or tool-output context.

User impactSensitive information from agent session histories could be brought back into task monitoring or status output.

RecommendationUse this only if you are comfortable granting access to local OpenClaw session history, and avoid running it around tasks that contain secrets or sensitive conversations.