Longrunning Agent
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only workflow is generally aligned with long-running project tracking, but users should review any local scripts, commits, persistent project files, and optional web logging before use.
This skill appears benign and instruction-only. Use it in trusted project directories, review init.sh before execution, check changes before commits, and confirm the behavior of any web UI integration before logging private project or session data.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A project setup script could install packages, change files, or run other commands on the user’s machine.
The workflow may execute a project-local setup script. This is common for development workflows, but init.sh can contain arbitrary shell commands.
3. **Initialize** - Run `init.sh` if needed
Inspect init.sh and approve local setup commands before allowing the agent to run them, especially in untrusted projects.
The agent may record task completion or commit changes before the user has reviewed the work.
The skill instructs the agent to modify project state and create git commits. This is aligned with project-management automation, but it changes the user’s repository.
7. **Mark Complete** - Set `passes: true` in `task.json` 8. **Commit** - Make atomic git commit
Review file changes and test results before accepting task completion markers or git commits.
Incorrect or malicious edits to workflow files could steer the agent toward the wrong tasks or instructions in later sessions.
The skill relies on persistent project files that are reused across sessions. This is its core function, but those files can influence future agent behavior.
`CLAUDE.md` - Project instructions and workflow guide `task.json` - Task list with priorities and dependencies `progress.txt` - Log of work completed
Keep these files in trusted project storage, review unexpected edits, and avoid placing secrets in progress logs or task descriptions.
If this web integration is enabled elsewhere, project details and session output could be stored outside the local project.
The documentation claims integration with a web app and logging of session output, but the provided artifacts do not describe the destination, authentication, retention, or opt-in controls.
Tasks sync with the web database Progress entries are captured Session output is logged Git commits are tracked
Verify where the web app stores data and what it logs before using the integration with private code, credentials, or sensitive project information.
Users may need an additional configured tool that is not reflected in the declared requirements.
The skill references an external CLI dependency, while the registry metadata lists no required binaries. This looks like an undeclared setup dependency rather than malicious behavior.
Ensure Claude Code CLI is installed and configured
Install and configure only trusted CLI tools, and confirm which account or workspace the CLI will use.