ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Task System

Manage tasks with automatic creation, SQLite tracking, heartbeat updates, notifications, stuck task detection, and recovery in a complete lifecycle system.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 1.5k · 7 current installs · 7 all-time installs
by@npmisantosh
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description match the actual code: CLI scripts implement create, heartbeat, complete, stuck, and status using an on-disk SQLite DB under ~/.openclaw/workspace/databases/tasks.db. No unrelated services, credentials, or binaries are requested.
!
Instruction Scope
Runtime instructions and scripts operate on a local SQLite DB and the user's home paths only (consistent with purpose), but several commands build SQL statements by interpolating unvalidated user input (e.g., TASK_ID inserted directly into SQL in heartbeat/complete/task-system.sh and other scripts). This allows SQL injection or accidental execution of extra SQL if an attacker or malformed input is passed as an ID or notes parameter.
Install Mechanism
There is no network download; install.sh modifies user shell startup files (~/.bashrc or ~/.bashrc.d) and optionally creates a symlink in ~/.local/bin. Modifying shell config is expected for CLI tools but is persistent and should be reviewed before running.
Credentials
The skill requests no environment variables, credentials, or external config paths beyond storing its SQLite DB under the user's home. This is proportionate to the claimed functionality.
Persistence & Privilege
The skill does not request elevated privileges or always:true. However, install.sh adds PATH changes and a symlink in the user's home which grants persistent CLI availability; combine this persistence with the unvalidated-input issue increases potential blast radius if untrusted inputs are supplied.
What to consider before installing
This skill appears to implement a simple local task tracker and is internally consistent, but take these precautions before installing or enabling it: - Inspect install.sh and DO NOT run it blindly. It will append or write to ~/.bashrc or ~/.bashrc.d and create a symlink in ~/.local/bin. Back up your shell config first. - The scripts build SQL by concatenating user-supplied values. An attacker (or a malformed ID/notes string) could inject extra SQL. Before using in production, modify the scripts to validate inputs (e.g., ensure TASK_ID matches ^[0-9]+$) and sanitize fields consistently. - Consider running the scripts in a limited environment or container and keep the database under a directory you control; back up the DB before first use. - If you allow an autonomous agent to invoke this skill, be cautious: the agent could call create/heartbeat/complete with attacker-controlled strings. If you cannot audit and harden the scripts, do not grant the agent autonomous use of the skill. If you want, I can produce hardened patch suggestions (e.g., input validation snippets and safer SQL invocation patterns) you can apply to the scripts before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
latestvk978r43vb5tm7cw4pjpcr4eqm5814qjj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Task System

One skill for complete task lifecycle management.

Installation

./install.sh

Or manually add to PATH:

export PATH="$HOME/.openclaw/agents/main/workspace/skills/task-system/scripts:$PATH"

Quick Commands

# Create task
task-system.sh create "Your request here"

# Update heartbeat
task-system.sh heartbeat $TASK_ID

# Mark complete
task-system.sh complete $TASK_ID "Optional notes"

# Check stuck
task-system.sh stuck

# Daily status
task-system.sh status

Database Schema

CREATE TABLE IF NOT EXISTS tasks (
  id INTEGER PRIMARY KEY AUTOINCREMENT,
  request_text TEXT NOT NULL,
  status TEXT DEFAULT 'pending',
  priority INTEGER DEFAULT 5,
  created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
  started_at DATETIME,
  completed_at DATETIME,
  last_updated DATETIME DEFAULT CURRENT_TIMESTAMP,
  notes TEXT
);

-- Key indexes
CREATE INDEX IF NOT EXISTS idx_tasks_status_updated ON tasks(status, last_updated);
CREATE INDEX IF NOT EXISTS idx_tasks_priority ON tasks(priority ASC);

Scripts

See scripts/ directory:

  • task-system.sh — Main CLI (create, heartbeat, complete, stuck, status)
  • create-task.sh — Create new task
  • heartbeat.sh — Update last_updated
  • complete-task.sh — Mark complete
  • stuck-check.sh — Find stuck tasks

Files

7 total
Select a file
Select a file to preview.

Comments

Loading comments…