ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Task Engine

v1.0.0

Multi-agent task orchestration engine with state machine tracking. Use when complex multi-step projects need automated monitoring, multi-agent collaboration,...

0· 307·0 current·0 all-time
byRongze Gao@zeron-g
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the included code: a state-machine task engine, dispatcher, heartbeat checker, and Discord-formatting helpers. The files and CLI commands align with the stated orchestration/heartbeat/Discord-notify purpose. There are no unrelated credentials or external services demanded by the skill.
Instruction Scope
SKILL.md instructs running commands from a hard-coded skill root (/home/zeron/...) and to add a snippet into the system heartbeat to import the skill's checker module. The runtime instructions read and write workspace tasks (index.json, task directories) and update task files — which is expected for this tool — but the heartbeat modification gives the skill periodic execution and requires editing system code; follow-up: ensure the paths are correct for your environment and back up heartbeat code before changing it.
Install Mechanism
There is no external installer or download; source files are bundled with the skill. No remote URLs, package installs, or archive extraction are used. This is low-risk from an install mechanism perspective, though the registry metadata calling it 'instruction-only' while many code files are present is an implementation detail to verify.
Credentials
The skill declares no required environment variables or credentials. It reads local config/settings.yaml (which may contain guild_id/human_user_id but not tokens) and the workspace/tasks directory. No secrets are requested or referenced in the files provided. This access is proportional to a tool that manages local task files and notifies via the agent platform.
Persistence & Privilege
always:false (good). However the SKILL.md explicitly asks the operator to modify the system heartbeat to call check_all_tasks, which—once done—gives the skill repeated autonomous execution by the orchestrator. Autonomous invocation is expected for skills, but you should be aware that installing the heartbeat hook will allow the skill to run periodically and modify tasks/index.json without further manual invocation.
Assessment
This skill appears to be what it claims: a local, file-backed multi-agent task engine. Before installing or enabling it: 1) Verify where the skill files will be placed and update SKILL.md hard-coded paths to your environment (the examples use /home/zeron/...). 2) Back up your heartbeat script and test the heartbeat integration in a sandbox before adding the import snippet—the snippet will cause the skill to run every heartbeat and can change index.json/task files. 3) Inspect config/settings.yaml (guild_id, human_user_id, agent workspace roots) and remove or adjust any values you don't want used; the skill does not include Discord tokens, but it formats messages that your agent (Eva) will send via platform tools. 4) Run the bundled tests (pytest) in an isolated workspace to confirm behavior. 5) If you are uncomfortable with periodic autonomous execution, do not modify the heartbeat and invoke the CLI manually instead.

Like a lobster shell, security has layers — review code before you run it.

latestvk97czqw72jyts7hc09n52fshtd821n3n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments