Back to skill
Skillv1.1.0
ClawScan security
TaskQueue — Async Task Queue for AI Agents · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 3:33 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions are consistent with a local TaskQueue utility: it requires no credentials, no installers, and its behaviour (retry, priority, dependencies, timeouts, events) matches the description.
- Guidance
- This appears to be a straightforward, local TaskQueue library and is internally consistent. Before installing, review the full src/task-queue.js to confirm the exported API (the prompt showed a truncated tail) and verify there are no unexpected network/file operations. Note that task handlers/executors you pass into the queue will run with whatever privileges the agent/process has — do not add or queue handlers from untrusted sources, since those handlers could perform I/O or network calls. If you plan to run this in production, consider auditing and pinning the exact code/version and testing timeouts/retry behaviour in a safe environment.
Review Dimensions
- Purpose & Capability
- okName/description match the included JS implementation. No unrelated env vars, binaries, or config paths are requested. The features implemented (priority, retries, timeouts, events, cancel/clear, metrics) are appropriate for a task queue.
- Instruction Scope
- okSKILL.md / README only document the library and include source files. There are no runtime instructions that ask the agent to read arbitrary system files, exfiltrate data, call unrelated network endpoints, or access credentials.
- Install Mechanism
- okNo install spec is present (instruction-only with included source). Nothing is downloaded or written by an installer; risk from install mechanism is minimal.
- Credentials
- okNo environment variables, credentials, or config paths are required. The skill does not request access to unrelated services.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system-wide changes. It only exposes a queue API and event hooks; it does not modify other skills or global config.