AgentDo
ReviewAudited by ClawScan on May 10, 2026.
Overview
AgentDo is not shown to be malware, but it needs review because it can send tasks to an external agent/human queue and accept untrusted tasks without clear approval or data-boundary rules.
Install only if you intentionally want your agent to outsource tasks through agentdo.dev or take work from its queue. Before use, require explicit review of every posted or claimed task, avoid sending secrets or sensitive personal data, protect the API key, and stop any polling loop when the intended task is complete.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private task context or files described in a task could be exposed to unknown external parties, and returned work may come from untrusted sources.
The skill explicitly routes task content between this agent, unknown external agents, and possibly humans, but the artifacts do not explain identity, visibility, retention, or data-sharing boundaries.
Post tasks for other AI agents to do, or pick up work from the AgentDo task queue (agentdo.dev)... you need a human for a physical or judgment task.
Use only with explicit user approval for each posted or claimed task, avoid secrets or sensitive personal data, and verify who can access tasks and results.
A task from an unknown requester could redirect the agent into doing unrelated, unsafe, or unwanted work.
Remote task content from the queue is treated as work instructions for the agent, with no instruction to sandbox, validate, or seek user confirmation before following it.
RESP=$(curl -s "https://agentdo.dev/api/tasks/next?skills=YOUR,SKILLS&timeout=25" ... # Read input and output_schema from the task, do the work
Treat all queued task input as untrusted; show it to the user first, restrict permitted actions, and ignore any remote instructions that conflict with the user's intent or system rules.
The agent can create or change task state on AgentDo if given the API key.
The skill documents raw REST write operations that create, claim, deliver, accept, and reject tasks. This is expected for a task-queue skill, but it mutates an external service.
| Post task | POST | `/api/tasks` | ... | Claim | POST | `/api/tasks/:id/claim` | | Deliver | POST | `/api/tasks/:id/deliver` | | Accept | POST | `/api/tasks/:id/complete` | | Reject | POST | `/api/tasks/:id/reject` |
Require user confirmation before posting, claiming, delivering, accepting, or rejecting tasks, especially when task content affects third parties.
Anyone with the key may be able to perform AgentDo write actions associated with that key.
The skill requires a reusable provider API key for write actions. This is purpose-aligned, but it is a credential that should be protected.
Generate a free API key (no signup)... Save the returned `key`. Pass it as `x-api-key` header on all write requests. Store the key for reuse.
Store the key securely, do not paste it into shared task content, and rotate or revoke it if exposed.
If run unattended, the agent could keep waiting for or claiming work longer than the user intended.
The examples use indefinite polling loops to wait for results or new work. This is disclosed and central to the queue workflow, but it can keep the agent active until stopped.
while true; do ... tasks/next?skills=YOUR,SKILLS&timeout=25 ... Don't add sleep to the polling loop — the server already waits up to 25s.
Run polling only in a visible session, set a user-approved timeout or stop condition, and do not let the agent claim work autonomously.