← Back to Skills Marketplace
484
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install task-supervisor
Description
Manage complex tasks with 5+ steps or duration >20 min, tracking progress via task files and sending periodic status reports until completion or pause.
Usage Guidance
Do not enable this skill yet. Ask the publisher to clarify: (1) which messaging platform will be used (WhatsApp or Feishu?) and exactly how recipient identity and authentication are provided (what env vars or agent integrations are required); (2) whether the agent runtime actually provides an 'openclaw' CLI and what privileges that CLI has; (3) where .tasks/ will be stored and who can read those files; and (4) how and when the cron jobs are removed and what safeguards exist to prevent repeated unintended messages. If you proceed, require explicit, per-task consent before creating background crons or sending messages, and ensure messaging credentials are scoped and stored securely (not left implicit).
Capability Analysis
Type: OpenClaw Skill
Name: task-supervisor
Version: 1.0.0
The skill is classified as suspicious due to its use of high-risk capabilities that, while seemingly intended for legitimate task management, create significant vulnerabilities. Specifically, the `SKILL.md` instructs the agent to use `exec` to create cron jobs, which is a powerful primitive allowing arbitrary command execution and establishing persistence. Furthermore, the `--message` argument for the `openclaw cron add` command acts as a prompt for a sub-agent, instructing it to read a file (`.tasks/<SLUG>.md`) and send its content via Feishu. This nested prompt injection surface, combined with file read and exfiltration capabilities, presents a critical vulnerability for data exfiltration if an attacker could manipulate the `TASK-SLUG` or inject into the cron message.
Capability Assessment
Purpose & Capability
The name/description (long-running task manager with progress files and periodic reports) aligns with the SKILL.md: it instructs creating .tasks files, decomposing steps, logging progress, and sending periodic reports. However, the skill expects to send messages via external platforms (mentions WhatsApp and Feishu interchangeably) and to spawn system crons via an 'openclaw' CLI, yet the registry metadata declares no required binaries or credentials. Requesting no environment variables or primary credential is inconsistent with sending messages to external services.
Instruction Scope
Instructions tell the agent to create and repeatedly update files under .tasks/, spawn a reporter cron using an 'openclaw cron add' exec, and have that cron read task files and send progress messages. That scope is consistent with a supervisor but includes autonomous background scheduling and automated messaging. The doc mixes messaging targets (WhatsApp vs Feishu) and tells the cron to 'send a Feishu message to the user' without specifying how authentication/recipient mapping occurs. The instructions do not read or transmit unrelated system files, but they do perform autonomous I/O and networked messaging which require explicit credentials and user consent.
Install Mechanism
This is instruction-only with no install spec and no code files, so there is nothing being downloaded or written at install time. That reduces risk from supply-chain install mechanics. The runtime behavior (spawning crons and writing .tasks files) is still potentially persistent, but there is no installer to analyze.
Credentials
The skill declares no required environment variables or credentials, yet its runtime actions require the ability to send messages over Feishu or WhatsApp and to schedule crons via an 'openclaw' CLI. Sending messages to external platforms normally requires API tokens/credentials or preconfigured agent integrations; those are not declared. This mismatch is disproportionate and unexplained.
Persistence & Privilege
always:false (good). The skill instructs spawning scheduled reporter crons that run autonomously until the task completes or fails. Creating background scheduled jobs is a legitimate behavior for long-running tasks, but because the cron will autonomously read task files and send external messages, it increases the blast radius — especially combined with missing declarations for which messaging identity/credentials will be used. The skill does not claim to modify other skills or global configs, which is good.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install task-supervisor - After installation, invoke the skill by name or use
/task-supervisor - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: self-supervising long-running task manager with checkpoint files, step tracking, and periodic Feishu progress reports.
Metadata
Frequently Asked Questions
What is Task Supervisor?
Manage complex tasks with 5+ steps or duration >20 min, tracking progress via task files and sending periodic status reports until completion or pause. It is an AI Agent Skill for Claude Code / OpenClaw, with 484 downloads so far.
How do I install Task Supervisor?
Run "/install task-supervisor" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Task Supervisor free?
Yes, Task Supervisor is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Task Supervisor support?
Task Supervisor is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Task Supervisor?
It is built and maintained by Peng Shu (@mashirops); the current version is v1.0.0.
More Skills