Longrunning Agent
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: longrunning-agent Version: 1.1.1 The skill instructs the AI agent to execute an optional `init.sh` script found in the project directory as part of its workflow (SKILL.md). This presents a significant Remote Code Execution (RCE) vulnerability, as the agent would execute arbitrary code from an untrusted or compromised project's `init.sh` without explicit sanitization or warning. Additionally, the `manifest.json` lists `gh` (GitHub CLI) as a required tool, granting the agent broad capabilities for interacting with GitHub repositories, which could be misused if the agent is later prompted maliciously. While these capabilities are risky, there is no direct evidence of intentional malicious behavior or self-exploitation within the provided skill files.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A project setup script could install packages, change files, or run other commands on the user’s machine.
The workflow may execute a project-local setup script. This is common for development workflows, but init.sh can contain arbitrary shell commands.
3. **Initialize** - Run `init.sh` if needed
Inspect init.sh and approve local setup commands before allowing the agent to run them, especially in untrusted projects.
The agent may record task completion or commit changes before the user has reviewed the work.
The skill instructs the agent to modify project state and create git commits. This is aligned with project-management automation, but it changes the user’s repository.
7. **Mark Complete** - Set `passes: true` in `task.json` 8. **Commit** - Make atomic git commit
Review file changes and test results before accepting task completion markers or git commits.
Incorrect or malicious edits to workflow files could steer the agent toward the wrong tasks or instructions in later sessions.
The skill relies on persistent project files that are reused across sessions. This is its core function, but those files can influence future agent behavior.
`CLAUDE.md` - Project instructions and workflow guide `task.json` - Task list with priorities and dependencies `progress.txt` - Log of work completed
Keep these files in trusted project storage, review unexpected edits, and avoid placing secrets in progress logs or task descriptions.
If this web integration is enabled elsewhere, project details and session output could be stored outside the local project.
The documentation claims integration with a web app and logging of session output, but the provided artifacts do not describe the destination, authentication, retention, or opt-in controls.
Tasks sync with the web database Progress entries are captured Session output is logged Git commits are tracked
Verify where the web app stores data and what it logs before using the integration with private code, credentials, or sensitive project information.
Users may need an additional configured tool that is not reflected in the declared requirements.
The skill references an external CLI dependency, while the registry metadata lists no required binaries. This looks like an undeclared setup dependency rather than malicious behavior.
Ensure Claude Code CLI is installed and configured
Install and configure only trusted CLI tools, and confirm which account or workspace the CLI will use.