中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 18/100
Last scan:23 hr ago Rescan
18 /100
async-queue
Schedule delayed tasks between OpenClaw agents — set reminders, chain tasks, coordinate agents on a delay. File-backed, no infra needed.
Well-documented async task queue skill with accurate security disclosures; install.sh shell usage is expected for a macOS launchd installer and fully declared in SKILL.md frontmatter.
Skill Nameasync-queue
Duration57.3s
Enginepi
Safe to install
No blocking concerns. Consider pinning Node.js version in package.json for reproducibility.

Findings 3 items

Severity Finding Location
Low
No dependency pinning Supply Chain
package.json declares no npm dependencies but also no Node.js version constraint beyond the engine field. The skill relies on Node.js built-in modules (fs, http, crypto, path) with no third-party packages, reducing supply chain risk.
"engines": { "node": ">=18" }
→ Consider adding a .nvmrc or engines field pinning exact version for reproducibility.
 package.json:1
Low
launchd daemon registered with elevated privileges Priv Escalation
install.sh registers a launchd service that auto-starts on login with KeepAlive. This is expected behavior for a background daemon and is explicitly disclosed in SKILL.md security_disclosure. The scope is confined to OpenClaw's queue directory.
launchctl load "$PLIST"
→ No action needed — behavior is disclosed and scoped to skill's purpose.
 scripts/install.sh:57
Info
install.sh hardcodes LaunchAgents path under ~/Library Sensitive Access
The plist path ~/Library/LaunchAgents/ai.openclaw.queue-daemon.plist is hardcoded. This is standard macOS practice and not a security risk, but worth noting the service name.
PLIST="$HOME/Library/LaunchAgents/ai.openclaw.queue-daemon.plist"
→ Informational only; no action required.
 scripts/install.sh:13
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned install.sh:16-30 (mkdir/cp), daemon.js:45-51 (queue read/write)
Network READ READ ✓ Aligned daemon.js:89-108 — HTTP POST only to 127.0.0.1:18789 (localhost only)
Shell WRITE WRITE ✓ Aligned install.sh:57 — launchctl load/unload; SKILL.md security_disclosure explicitly d…
Skill Invoke NONE READ ✓ Aligned plugin/index.ts — POST /api/queue-wake endpoint registered; daemon invokes via l…
Environment NONE NONE No os.environ access in any script
Clipboard NONE NONE No clipboard access
Browser NONE NONE No browser access
Database NONE NONE File-backed JSON queue, not a database
1 findings
🔗
Medium External URL 外部 URL
http://www.apple.com/DTDs/PropertyList-1.0.dtd
scripts/install.sh:47

File Tree

11 files · 29.0 KB · 975 lines
JavaScript 3f · 462L Markdown 3f · 279L TypeScript 1f · 90L Shell 1f · 84L JSON 3f · 60L
├─ 📁 plugin
│ ├─ 📜 index.ts TypeScript 90L · 2.8 KB
│ └─ 📋 openclaw.plugin.json JSON 14L · 358 B
├─ 📁 references
│ └─ 📝 PROTOCOL.md Markdown 90L · 2.5 KB
├─ 📁 scripts
│ ├─ 📜 daemon.js JavaScript 173L · 5.0 KB
│ ├─ 🔧 install.sh Shell 84L · 3.1 KB
│ ├─ 📜 push.js JavaScript 107L · 2.7 KB
│ └─ 📜 queue-cli.js JavaScript 182L · 4.7 KB
├─ 📋 package.json JSON 21L · 494 B
├─ 📋 public.json JSON 25L · 1.0 KB
├─ 📝 README.md Markdown 27L · 753 B
└─ 📝 SKILL.md Markdown 162L · 5.6 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
none N/A node-builtins No Skill uses only Node.js built-in modules: fs, http, crypto, path — no npm dependencies

Security Positives

✓ daemon.js uses only Node.js built-in modules — no third-party dependencies to audit
✓ Task delivery uses only Node's built-in http module (no execSync, no child_process)
✓ All network calls are restricted to localhost:127.0.0.1:18789 — no external network access
✓ No credential harvesting: no os.environ iteration, no ~/.ssh, no ~/.aws, no .env access
✓ No base64, eval, or obfuscated code anywhere in the codebase
✓ Target validation in daemon.js checks targets.json before accepting agent names
✓ SKILL.md includes a dedicated security_disclosure field covering all non-obvious behaviors
✓ Lock file mechanism prevents duplicate daemon instances (daemon.lock)
✓ TTL mechanism prevents stale tasks from piling up
✓ User-configurable targets.json — no hard-coded agent names
✓ Queue-wake plugin uses OpenClaw's built-in plugin auth, no custom credential handling
✓ All file operations confined to ~/.openclaw/queue/ and extensions/ — no sensitive path access