long-running-task-management
Pass
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill reads and writes task-specific state to a local file path (
~/.openclaw/skill-state/long-running-task-management/state.yaml). While this is the intended mechanism for statefulness, it involves direct interaction with the host file system. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it retrieves and acts upon instructions (such as the
next_actionfield) stored in a local state file that could potentially be modified by other processes on the system. - Ingestion points: The
state.yamlfile is read during the "Resume After Interruption" and "Cron Wakeup Behavior" phases defined inSKILL.md. - Boundary markers: None; the skill does not implement delimiters or warnings to ignore embedded instructions within the task state fields.
- Capability inventory: The skill has the capability to read/write local files and execute task-related stages which may involve arbitrary shell commands or file modifications.
- Sanitization: No validation, sanitization, or integrity checking is performed on the data retrieved from the state file before it is used to guide the agent's next actions.
Audit Metadata