Claude Code Task
WarnAudited by ClawScan on May 18, 2026.
Overview
This skill is a powerful background runner that can launch Claude Code with broad file authority, use local OpenClaw credentials, and send results to messaging apps, so it needs careful review before use.
Install only if you are comfortable with Claude Code running in the background against your files and sending summaries to Telegram or WhatsApp. Use a sandboxed project, verify the destination chat, avoid secrets, patch the unsafe `run-task.sh` message handling, and require explicit confirmation for broad or destructive tasks.
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user asking to run tests may get the skill’s own notification/routing validation instead of their project’s actual test suite.
The skill instructs the agent to reinterpret a normal user request as validation of the skill itself, which can redirect user intent away from the project the user likely wanted tested.
When user asks things like: ... "run tests" ... it means **run the full E2E operator validation flow** for `run-task.py` routing + notifications. It does **NOT** mean `pytest`/`unittest` discovery by default.
Only run the E2E operator validation when the user explicitly asks to test this skill; otherwise treat “run tests” as the user’s project tests.
Claude Code could modify files or run project operations in the background with fewer safeguards than a normal interactive session.
The helper launches Claude Code with permission checks disabled. For a background coding agent, this is high-impact authority over files and commands without normal interactive approval.
claude -p "$TASK" \ --dangerously-skip-permissions \ --output-format text
Use only in a disposable or well-scoped project directory, require explicit user confirmation before launch, and avoid `--dangerously-skip-permissions` unless the user knowingly accepts that risk.
Untrusted Claude output, task text, or project-controlled content could potentially execute code locally when the notification command is built.
The script interpolates task/output text into Python source code without escaping. If the message contains Python string terminators or code-like content, it can break the generated Python command and cause unintended local code execution.
RESULT=$(head -c 2000 "$OUTPUT_FILE")
...
python3 -c "
import json, requests
msg = '''$MSG'''
requests.post('$GW/tools/invoke',Do not embed untrusted text into `python3 -c`; pass the message through stdin, an environment variable with proper JSON encoding, or a temporary file read safely by Python.
The skill can act through the user’s local OpenClaw gateway identity, including listing sessions and sending session messages.
The skill reads the local OpenClaw gateway token and later uses it to invoke gateway tools, while the registry metadata declares no primary credential or required config path.
CONFIG_PATH = Path.home() / ".openclaw" / "openclaw.json"
...
def get_token():
return json.loads(CONFIG_PATH.read_text())["gateway"]["auth"]["token"]Declare this credential/config requirement, limit gateway tool access where possible, and ensure users understand the skill uses their local OpenClaw session authority.
Installation may silently rely on a local executable that was not declared in the registry requirements.
The script depends on an external `claude` binary, but the metadata lists no required binaries. This is purpose-aligned, but users need to verify what local CLI will actually run.
claude -p "$TASK"
Verify the installed `claude` CLI path and version before using the skill, and update metadata to declare this dependency.
Local agent conversation/session data is accessed during routing, which may include sensitive context even if the code appears to use it only for delivery metadata.
The routing logic reads local OpenClaw session log files to infer Telegram thread metadata. This appears purpose-aligned for thread safety, but those files may contain private conversation context.
base = Path.home() / ".openclaw" / "agents" / "main" / "sessions"
...
files = sorted(base.glob("*-topic-*.jsonl"),Keep this access narrowly scoped, document it clearly, and avoid running the skill on machines where OpenClaw session logs contain data the user does not want inspected.
Task summaries, errors, or snippets of generated output may be delivered into external chat channels or groups.
The script sends task results through the local OpenClaw gateway to the originating session, which may correspond to Telegram or WhatsApp. This is disclosed by the skill purpose, but it can transmit sensitive task output.
requests.post('$GW/tools/invoke',
headers={'Authorization': 'Bearer $TOKEN', 'Content-Type': 'application/json'},
json={'tool': 'sessions_send', 'sessionKey': '$SESSION_KEY',
'args': {'sessionKey': '$SESSION_KEY', 'message': msg}},Avoid including secrets in tasks or outputs, confirm the destination session before launch, and prefer private chats for sensitive work.
Work may continue after the chat turn ends, so mistakes can keep running until timeout or manual termination.
The skill intentionally creates a background worker that continues after the current agent turn. This is core to the skill, but it is a persistence/autonomy pattern users should notice.
After a successful `nohup` launch, the correct behavior is: 1. Send a short launch acknowledgment ... 2. **Stop this turn immediately**. 3. Continue only when wake/completion event arrives
Track the PID/log file after launch, set short timeouts for risky tasks, and provide a clear stop/cancel procedure.