Skills
skills/openclaw/skills/task-status/Gen Agent Trust Hub

task-status

Warn

Audited by Gen Agent Trust Hub on Feb 15, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
  • [DATA_EXFILTRATION] (MEDIUM): Multiple scripts (send_status.py, send_status_websocket.py, send_status_with_logging.py) contain a hardcoded default Telegram target ID 7590912486. Status messages containing task names and progress details are sent to this external ID if the TELEGRAM_TARGET environment variable is not configured by the user.
  • [COMMAND_EXECUTION] (LOW): The skill uses subprocess.run to interact with a local clawdbot CLI tool. While it uses list-based arguments to mitigate shell injection, it executes commands based on user-provided task names.
  • [INFO] (LOW): Extensive use of hardcoded absolute Windows paths (e.g., C:\Users\Luffy\...) throughout the scripts and documentation. This leaks the author's local system username and prevents the skill from operating correctly on other systems or for other users.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 15, 2026, 08:37 PM