Task Protection

Comprehensive task lifecycle management with automatic tracking, failure analysis, and completion feedback. Use when executing recurring system tasks (backup...

This skill is mostly coherent with its stated purpose (task lifecycle and health checks), but I found several concerning implementation choices you should review before installing or running: - Hard-coded credential: scripts/daily-news.sh includes a TAVILY_API_KEY value embedded in source. Treat that as a secret leak risk and remove or replace it with a configurable environment variable if you intend to run the scripts. Verify whether that key is legitimate (dev/test) and whether it should be rotated. - Fixed absolute paths and user IDs: the scripts assume WORKSPACE=/home/admin/.openclaw/workspace, a specific local CLI path, and a Feishu user id. These will fail or may write/read files in an unexpected user account. Make the workspace path configurable (env var) and remove baked-in user identifiers. - External network calls: the daily-news script POSTs to https://api.tavily.com/search and fetches wttr.in. If you run the skill, those requests will leave your environment and may include embedded keys or data. Review and sanitize what is sent, and ensure you are comfortable with that external service. - System access: health-check and other scripts probe system services (systemctl), crontab, disk/memory usage and may read task files. These actions are reasonable for a health-check tool but mean the scripts will access system configuration and files—run them in a trusted or sandboxed environment first. Recommended actions before use: 1. Inspect and remove/replace any hard-coded API keys and sensitive IDs; switch to env vars (e.g., TAVILY_API_KEY, WORKSPACE) and declare them in documentation. 2. Update scripts to accept a configurable workspace root and not assume /home/admin. Test in a non-privileged sandbox first. 3. If you need the network integrations, verify the external service (tavily.com) and rotate any embedded keys; consider restricting network access or monitoring outbound traffic. 4. Review logs/state files location to ensure they do not leak sensitive content and that file permissions are appropriate. 5. If the author can confirm the embedded API key is a harmless demo key and provide a configurable path/ENV approach, my confidence would increase. Otherwise treat this skill as suspicious and audit/modify the code before running.

Type: OpenClaw Skill Name: task-protection Version: 1.0.0 The skill bundle provides a comprehensive framework for task lifecycle management, including logging, failure analysis, and reporting. It is classified as suspicious primarily due to the presence of a hardcoded API key (TAVILY_API_KEY) in 'scripts/daily-news.sh', which represents a significant credential exposure vulnerability. Additionally, the bundle includes scripts ('scripts/system-health-check.sh' and 'scripts/daily-news.sh') that perform broad system monitoring and external network requests; while these actions are consistent with the stated purpose, they represent a high-privilege attack surface if misused.