Task Notifier
SuspiciousAudited by ClawScan on May 12, 2026.
Overview
Task Notifier has a clear notification purpose, but its startup plugin builds a shell command from runtime agent/workspace values without safe escaping, creating a local command-execution risk.
Treat this as a Review item rather than clearly malicious: the purpose is coherent and there is no evidence of exfiltration, but the unsafe execSync shell string should be fixed before broad use. If you install it, expect a persistent macOS startup plugin that observes agent lifecycle events, uses local AppleScript notifications, and writes .openclaw-task state files.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted agent name, workspace path, or install path containing shell syntax could potentially run unintended local commands when an agent starts or ends.
The plugin assembles a shell command string from runtime values such as the agent display name and workspace-derived state directory instead of using execFile/spawn with separate argv and env parameters. Shell metacharacters in those values could change what command is executed under the user's account.
execSync(
`AGENT_NAME="${displayName}" STATE_DIR="${stateDir}" "${SHARED_SCRIPT}" ${action} "${message}"`,Replace shell-string execSync with execFileSync or spawn using an argument array and an env object, validate/escape runtime values, and separately escape strings passed into AppleScript.
The plugin may need macOS automation permissions and can locally observe the current foreground app/window title, though the artifacts do not show this data being sent anywhere.
The script uses macOS automation to inspect the foreground application/window title so it can suppress notifications while OpenClaw is active. This is purpose-aligned, but it is a local visibility/automation capability users should understand.
tell application "System Events" set frontProc to first application process whose frontmost is true set winTitle to name of front window of frontProc
Install only if you are comfortable granting the plugin local macOS automation visibility for notification suppression.
After setup, it will automatically monitor all agent completions in the background.
The plugin is configured to start automatically with OpenClaw. This matches the advertised background notifier behavior, but it means the code continues running across OpenClaw sessions until removed or disabled.
"activation": {
"onStartup": true
}Confirm you want a persistent startup plugin, and know how to remove it from the OpenClaw plugin configuration if you no longer want notifications.
Users on non-macOS systems, or users expecting an instruction-only skill, may not realize this package includes a runtime plugin that must be manually loaded and runs macOS commands.
The registry metadata does not declare the macOS-only runtime requirements or plugin installation behavior, while the source and SKILL.md require macOS tools such as osascript and afplay. This is an under-declared compatibility/provenance issue, not evidence of hidden exfiltration.
OS restriction: none Required binaries (all must exist): none Install specifications No install spec — this is an instruction-only skill.
The publisher should declare macOS requirements and plugin/runtime behavior in metadata; users should verify the plugin files before manual installation.