Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Openclaw Skill Parallel Tasks
v1.0.0Execute multiple tasks in parallel with timeout protection, error isolation, and real-time progress feedback. Use when user says "run these in parallel", "pa...
⭐ 0· 31·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's description is a parallel-task executor and the code implements that. However, the package metadata declares no required binaries or environment variables while the code clearly spawns an external 'hermes' CLI to run tasks. If the skill needs to spawn sessions via Hermes, the hermes binary (or an equivalent integration) should be declared; omitting it is an incoherence between stated requirements and actual capabilities.
Instruction Scope
SKILL.md and executor.ts instruct the agent to spawn external sessions using the hermes CLI, read tasks from files or stdin, and print progress. Those actions are within the skill's purpose, but they also allow reading arbitrary files (--tasks-file, /dev/stdin) and will hand user-supplied task text to an external CLI. The instructions do not constrain or sanitize inputs and do not warn about sensitive data in task descriptions.
Install Mechanism
No install/download steps are present (instruction-only with included source). That minimizes supply-chain risk because nothing is fetched from an external URL. The presence of a local script is expected for a CLI utility.
Credentials
The code spawns child processes with env: { ...process.env } (it forwards the entire environment) but the skill declares no required credentials. Forwarding the full environment to spawned processes can leak secrets from the agent/runtime to the hermes process. Also the code conditionally uses process.env.DEBUG. The skill should either declare/justify required environment access or avoid forwarding unrelated secrets.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request persistent installation privileges or attempt to modify other skills or system settings. Autonomous invocation is allowed by default and not by itself a problem.
What to consider before installing
This skill is plausibly what it claims (a parallel task runner) but it has a few red flags you should verify before installing: 1) The code calls an external 'hermes' CLI to spawn sessions but the skill metadata does not list any required binary—ensure your environment provides a trusted hermes binary or that the skill is updated to declare it. 2) The executor forwards the entire process.env to spawned processes; if your agent runtime holds secrets (API keys, tokens), those could be exposed to the hermes process—ask the author to avoid forwarding unrelated env vars or to document exactly what hermes needs. 3) Task text read from files or stdin is passed verbatim to an external CLI; review/validate task inputs to avoid accidental leakage of sensitive content or injection into the external subsystem. If you trust the hermes CLI and the skill author, require an update to declare required binaries and to minimize env forwarding; otherwise treat this as untrusted code and audit carefully before use.scripts/executor.ts:192
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97721etg230302zzgn0hw0t5984t79c
License
MIT-0
Free to use, modify, and redistribute. No attribution required.