📦 Task Protection — 任务防护
v1.0.0全周期守护任务执行:自动追踪进度、智能分析失败原因、实时反馈完成状态,专为备份、批处理等循环系统任务设计,确保关键流程零中断。
0· 285·1 当前·1 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
medium confidenceThe skill's files and runtime instructions largely match a task-tracking purpose, but there are mismatches and risky choices (hard-coded API key, fixed /home/admin paths, external network calls and fixed user IDs) that are disproportionate or unexplained.
评估建议
This skill is mostly coherent with its stated purpose (task lifecycle and health checks), but I found several concerning implementation choices you should review before installing or running:
- Hard-coded credential: scripts/daily-news.sh includes a TAVILY_API_KEY value embedded in source. Treat that as a secret leak risk and remove or replace it with a configurable environment variable if you intend to run the scripts. Verify whether that key is legitimate (dev/test) and whether it should be ...详细分析 ▾
ℹ 用途与能力
Name/description (task lifecycle + failure analysis) align with the provided shell scripts (task-utils, health checks, reports, registration). However the code embeds absolute paths (/home/admin/.openclaw/workspace), a hard-coded third‑party API key, and a fixed Feishu user id / message CLI path—these are environment-specific and not declared in the skill metadata, which is an inconsistency.
⚠ 指令范围
SKILL.md and scripts instruct writing state files (memory/tasks/*.json), logs, and manipulating a workspace — expected. But scripts also read local system state (systemctl, crontab, df, free, du), read task lists (TASKS_FILE), and call external services (tavily.com, wttr.in) and local CLI tools. Those operations are plausible for health-checks/news push, but they access system configuration and make external network requests without any declared env/config options—granting broad file and network access with hard-coded endpoints/keys.
✓ 安装机制
No install spec (instruction-only plus shipped scripts). No downloads or external installers are run by the skill itself. Risk comes from shipped scripts that will execute on install/use, but there is no opaque install step that fetches arbitrary code.
⚠ 凭证需求
The skill declares no required env vars, yet scripts contain a hard-coded API key (TAVILY_API_KEY) and assume a fixed workspace path (/home/admin/.openclaw/workspace) and local CLI locations. Embedding a live API key and fixed user/paths is disproportionate and risky: it may leak a credential, fail unpredictably on other systems, or cause unintended writes to /home/admin. There are also external network calls (tavily.com) that will transmit queries using that key.
ℹ 持久化与权限
always is false and the skill is user-invocable; it does not request persistent platform privileges. It writes state and log files under the assumed workspace (normal for a tracking tool). However combining autonomous agent invocation (default) with scripts that perform network calls and system checks increases blast radius if misused—this is a contextual risk, not an intrinsic privilege flag in the bundle.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/15
Initial release of task-protection 1.0.0 - Introduces a comprehensive task lifecycle management system with automatic tracking, failure analysis, and completion feedback. - Provides 9 core tool functions for task registration, logging, stage tracking, status queries, and automated reporting. - Supports 8 types of failure analysis, customizable retry logic, and progress tracking. - Includes script examples and AI-friendly registration methods for recurring, critical, or long-running tasks. - Features structured logging, JSON-based status files, summary reports, and detailed documentation for best practices and troubleshooting.
● 可疑
安装命令
点击复制官方npx clawhub@latest install task-protection
镜像加速npx clawhub@latest install task-protection --registry https://cn.longxiaskill.com