Task Engine
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: task-engine Version: 1.0.0 The skill is classified as suspicious due to a critical prompt injection vulnerability. The `scripts/engine/dispatcher.py` module's `generate_dispatch_prompt` function constructs prompts for other AI agents (e.g., Claude Code) by directly embedding user-supplied `title` and `description` fields from task and subtask definitions. An attacker with the ability to create or dispatch tasks could inject malicious instructions into these fields, which would then be executed by the downstream agent, potentially leading to unauthorized actions, data exfiltration, or arbitrary command execution. While the skill's stated purpose is benign, this flaw represents a significant security risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the documented manual test as written could erase existing Task Engine task records.
This manual test command deletes the entire Task Engine runtime task directory. It is scoped to the skill's own task data, but it is destructive and has no explicit confirmation step.
rm -rf /home/zeron/.openclaw/workspace/tasks
Only run the reset command when you intentionally want to remove all saved Task Engine tasks; consider replacing it with a safer, confirmed cleanup step.
Once integrated, the skill may continue reading task state and updating task status during scheduled heartbeat runs.
The skill documents integrating itself into a recurring heartbeat so it can continue checking tasks after setup. This persistence is disclosed and aligned with the monitoring purpose.
Add step 4.3 to the heartbeat's `cmd_beat()` function ... from engine.checker import check_all_tasks ... te_result = check_all_tasks()
Add the heartbeat integration only if recurring monitoring is desired, and disable auto-transition or remove the heartbeat hook if you want fully manual control.
Task details and agent progress history may remain on disk and influence later task checks or dispatches.
Task descriptions, subtask state, and event logs are stored persistently in workspace files and reused by heartbeat checks and dispatch logic.
workspace/ tasks/ index.json ... TASK-001/ task.json ... subtask_01.json ... log.jsonl
Avoid storing secrets in task descriptions or logs, review task files when needed, and archive or delete stale task data intentionally.
Subtask descriptions, dependency summaries, and acceptance criteria may be shown to or acted on by other agents.
The dispatcher builds a context package containing task and subtask details for another agent. This is core to the skill's purpose, but it means task content is passed into inter-agent prompts.
"description": subtask.get("description", ""), "acceptance_criteria": subtask.get("acceptance_criteria", []), "dependencies": dependencies, "agent": agentUse dry-run or context-preview modes before dispatching sensitive work, and keep untrusted or secret content out of task fields.
Installation or invocation may fail on systems without python3, and automated preflight checks may not catch that dependency.
The skill documents Python CLI usage, while the registry metadata declares no required binaries and there is no install spec. This under-declaration affects setup validation, not observed malicious behavior.
python3 scripts/task_engine.py create "Implement feature X"
Confirm python3 is available before use, and consider declaring it in metadata for clearer installation expectations.