Task Engine
PassAudited by ClawScan on May 10, 2026.
Overview
Task Engine appears purpose-aligned for task orchestration, but users should notice its persistent task state, heartbeat automation, inter-agent dispatch context, and a documented command that can wipe its task records.
This skill looks coherent for managing multi-step projects. Before installing, understand that it stores task state under the OpenClaw workspace, can be wired into a recurring heartbeat, and may pass task context to other agents. Do not run the documented `rm -rf .../workspace/tasks` test reset unless you intentionally want to delete all saved Task Engine tasks.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the documented manual test as written could erase existing Task Engine task records.
This manual test command deletes the entire Task Engine runtime task directory. It is scoped to the skill's own task data, but it is destructive and has no explicit confirmation step.
rm -rf /home/zeron/.openclaw/workspace/tasks
Only run the reset command when you intentionally want to remove all saved Task Engine tasks; consider replacing it with a safer, confirmed cleanup step.
Once integrated, the skill may continue reading task state and updating task status during scheduled heartbeat runs.
The skill documents integrating itself into a recurring heartbeat so it can continue checking tasks after setup. This persistence is disclosed and aligned with the monitoring purpose.
Add step 4.3 to the heartbeat's `cmd_beat()` function ... from engine.checker import check_all_tasks ... te_result = check_all_tasks()
Add the heartbeat integration only if recurring monitoring is desired, and disable auto-transition or remove the heartbeat hook if you want fully manual control.
Task details and agent progress history may remain on disk and influence later task checks or dispatches.
Task descriptions, subtask state, and event logs are stored persistently in workspace files and reused by heartbeat checks and dispatch logic.
workspace/ tasks/ index.json ... TASK-001/ task.json ... subtask_01.json ... log.jsonl
Avoid storing secrets in task descriptions or logs, review task files when needed, and archive or delete stale task data intentionally.
Subtask descriptions, dependency summaries, and acceptance criteria may be shown to or acted on by other agents.
The dispatcher builds a context package containing task and subtask details for another agent. This is core to the skill's purpose, but it means task content is passed into inter-agent prompts.
"description": subtask.get("description", ""), "acceptance_criteria": subtask.get("acceptance_criteria", []), "dependencies": dependencies, "agent": agentUse dry-run or context-preview modes before dispatching sensitive work, and keep untrusted or secret content out of task fields.
Installation or invocation may fail on systems without python3, and automated preflight checks may not catch that dependency.
The skill documents Python CLI usage, while the registry metadata declares no required binaries and there is no install spec. This under-declaration affects setup validation, not observed malicious behavior.
python3 scripts/task_engine.py create "Implement feature X"
Confirm python3 is available before use, and consider declaring it in metadata for clearer installation expectations.