Agent Todo
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Agent Todo is a disclosed local task queue, but enabling its heartbeat or hooks lets saved task text drive future agent work.
Install this if you want agents to keep and execute a persistent local work queue. Before enabling hooks or heartbeat for all workspaces, review what will be written to HEARTBEAT.md, keep .agent-todo/tasks.json scoped to trusted tasks, and verify any target agent workspace before using dispatch. The provided main Python artifact was truncated, so review the full source if available before relying on it in high-impact environments.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Once heartbeat wiring is enabled, tasks left in the queue can cause later agent actions without a fresh user prompt.
The skill can persist heartbeat instructions that cause future agent turns to claim and execute queued tasks. This is disclosed and purpose-aligned, but it creates ongoing automation.
bash ./script.sh setup-heartbeat --all --write ... During heartbeat, run: bash ./script.sh run-pending --claim ... If it returns EXECUTE_NOW, do the task immediately.
Use setup-heartbeat, especially --all --write, only for intended workspaces; periodically review HEARTBEAT.md and the .agent-todo queue; remove the managed block to disable automation.
A mistaken, ambiguous, or overly broad commitment in a reply could become a future task for the agent.
The reply hook can turn hook-supplied reply text into a persistent queued task. That is the intended feature, but queued text may later be treated as execution context.
REPLY_CONTENT="${REPLY_CONTENT:-${1:-}}" ... cmd=(add "$title" "${add_args[@]}")Enable the post-reply hook only for trusted workflows, review queued tasks before relying on heartbeat execution, and cancel or block tasks that were inferred incorrectly.
Task titles, next actions, sources, and success criteria may be written into another agent workspace when dispatch is used.
Cross-agent dispatch moves task details between locally registered agent workspaces based on self-declared local identities. This is disclosed and opt-in.
`dispatch` scans workspaces from `~/.openclaw/openclaw.json`, reads each workspace's `.agent-todo/local.json`, and writes the task into the matching target workspace.
Verify registered OpenClaw workspaces and .agent-todo/local.json identities before dispatching, and avoid including sensitive details in tasks sent to other agents.