ClawHub

durable-task-runner

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent for durable task tracking, but it needs review because it can bind active chat/session metadata, send task status externally, install recurring ticks, and delete a user-supplied install target.

Review before installing. Avoid storing secrets in task snapshots or logs, prefer stdout/noop/log-only delivery unless live OpenClaw messages are intended, verify any chat/session binding before using progress delivery, do not enable the cron helper unless recurring background ticks are wanted, and be careful with install.sh --target because the installer deletes that path first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill explicitly frames recovery as user-driven, but it also documents `task_tick_all.py` and `task_install_tick_cron.sh`, which enable recurring processing across running tasks without an immediate user prompt. That creates a real session-persistence and background-execution capability that can outlive the initiating interaction, increasing the risk of unintended autonomous actions or data handling after reset/interruption.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The task controller is advertised as durable local state management, but it also triggers outbound reporting by invoking another sender script. Because this behavior is coupled to normal task updates and runs silently with stdout/stderr suppressed, task metadata may be transmitted outside the local controller boundary without clear user awareness or explicit consent.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code auto-binds delivery targets from environment variables such as chat/session identifiers, allowing the controller to inherit active messaging context implicitly. In a skill whose primary role is durable task tracking, this increases the chance of unintended disclosure of task content or progress into a live chat/channel the operator did not explicitly choose.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The script claims it will not invent new branching, but `apply_controller_decision` automatically changes a waiting line to `dispatch` and marks it `assigned` based solely on task-state data. In a durable-task runner, that means untrusted or stale persisted state can cause autonomous continuation of work without fresh user confirmation, potentially bypassing expected human control and resuming actions after resets.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Using a generic phrase like "continue this" as a recovery trigger is vulnerable to accidental activation during ordinary conversation or prompt injection from surrounding content. In this skill, the trigger can cause the agent to resume prior durable work and invoke resume scripts, so an unintended match may restart actions the user did not mean to re-authorize.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Routine task updates can automatically trigger reporting events based on an environment-derived delivery binding, meaning ordinary local state changes may cause hidden external communication. In an agent skill context, that is more dangerous because users may reasonably expect status tracking to stay local while the code can silently publish milestones, phase changes, or completion notices to an active chat/session.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The external send operation discards stdout and stderr, reducing transparency and making it difficult for users or reviewers to notice that communication occurred or failed. When combined with automatic delivery binding and update-triggered sends, this creates stealthy behavior inconsistent with a controller that appears to manage only local durable state.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The --apply path modifies the current user's crontab immediately, without an interactive confirmation or dry-run default. In an agent/automation context, this can create unintended persistence and recurring execution that survives the current session, especially if the script is invoked by a user who does not fully understand the side effects.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installer unconditionally deletes the target path with `rm -rf` if it already exists, without validating that the path is safe or asking for confirmation. Because `--target` is user-controlled, a mistaken or maliciously supplied path could cause loss of arbitrary files under the user's permissions, which is especially risky in an installation script expected to be run directly.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document explicitly says to 'default downward on reporting/detail' when ambiguity exists, which can reduce operator visibility at exactly the moments when stronger oversight may be needed. In a durable task runner, reduced reporting can hide external side effects, risky intermediate actions, or recovery behavior after resets, making misuse or mistakes harder to detect before completion.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script unconditionally deletes the entire user-supplied output directory with shutil.rmtree(out_root) if it already exists. Because --out is configurable and only resolved, not constrained to a safe subdirectory, a mistaken or maliciously influenced argument could erase arbitrary directories accessible to the user running the script.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
When pending_actions contain user_control items, the script automatically calls apply_task() without verifying fresh user intent or surfacing a confirmation step. In a durable recovery system, stale, injected, or previously queued control actions could be replayed after resets, causing unintended state transitions or task-side effects without the user's awareness.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
For lines in autopilot or handoff status with pending controller_decision, the helper again invokes apply_task() automatically. Because this is a continuation helper designed to survive interruptions, implicit follow-through increases the chance that ambiguous or attacker-influenced task metadata results in actions being executed during recovery, reducing operator oversight at exactly the point where context may be incomplete.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This code automatically launches a helper to send task updates whenever certain state changes occur, but the behavior is not disclosed or consent-gated in this file. In a durable task skill, that means task metadata, progress, and completion state may be transmitted to a chat/session target derived elsewhere, increasing the risk of unintended data disclosure across channels or contexts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The function silently derives channel, account, and chat target identifiers from environment variables and stores them as a delivery binding. In this skill's context, which is specifically designed to survive resets and resume work, implicit capture of active chat/session context can cause durable linkage of task state to the wrong conversation or account and lead to unintended disclosure of progress or results.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal