task-workflow
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it parses and processes task data (names, IDs, and notes) from markdown files that may be influenced by external processes or previous agent sessions.
- Ingestion points:
lib/task_persistence.pyandcli.pyread and parse markdown files from the/root/.openclaw/workspace/task_backlogdirectory. - Boundary markers: The skill relies on markdown table structures to delimit data but lacks explicit delimiters or instructions to the LLM to ignore potentially malicious instructions embedded within the task content.
- Capability inventory: The skill performs file system operations including reading, writing, and deleting (.unlink()) markdown files within the defined backlog directory.
- Sanitization: No evidence of sanitization or filtering for natural language instructions was found in the parsing logic.
- [SAFE]: The skill requires the installation of
pyyamlvia pip. As an industry-standard library for YAML parsing, this is considered a safe and verifiable dependency. - [SAFE]: The persistence and cleanup logic is restricted to a specific workspace directory (
~/.openclaw/workspace/task_backlog/), following the principle of least privilege for its intended task management purpose.
Audit Metadata