Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Dial A Cron
v2.0.0Stateful cron system for OpenClaw with persistent memory, change detection, smart routing, token budget tracking, and self-healing. Requires 'openclaw' and '...
⭐ 0· 68·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description (stateful cron with diffs, routing, budgets, self-heal) match the included scripts. However the skill metadata declares no required binaries or credentials while the code explicitly shells out to external CLIs (openclaw and gog) and expects optional env vars (DAC_JOBS_DIR, DAC_STATE_DIR, DAC_LOG_DIR). Missing declared dependencies is an incoherence: an operator would reasonably expect required CLIs/credentials to be declared.
Instruction Scope
SKILL.md and preflight instructions instruct the agent/operator to run preflight and inject DAC_CONTEXT into LLM prompts. The preflight/diff engine can read arbitrary local files, run arbitrary commands, and fetch arbitrary HTTP URLs defined in job configs; those results can be placed into DAC_CONTEXT and routed to external webhooks or emailed. The runtime instructions therefore allow collection and transmission of local file contents and command outputs — scope is broader than a minimal cron wrapper and is high-risk unless job configs are strictly controlled.
Install Mechanism
No install spec (instruction-only) — the bundle contains Python scripts but nothing is downloaded or auto-executed by an installer. This lowers supply-chain risk; however consumers receive executable scripts that must be run locally and therefore must be audited before execution.
Credentials
The skill declares no required env vars or credentials, yet the code reads optional env vars (DAC_JOBS_DIR, DAC_STATE_DIR, DAC_LOG_DIR) and shells out to external CLIs that typically require credentials (openclaw, gog). It also accepts webhook URLs, file paths, and agent endpoints from job configs. The absence of declared dependencies/credentials is disproportionate and could mislead operators about runtime capabilities and privileges.
Persistence & Privilege
The skill persists state, logs, and memory under local directories (state/, memory/, logs/). 'always' is not set. Persisted files may contain sensitive outputs or carry data from jobs; this is expected for a stateful cron but operators should review storage locations and permissions.
Scan Findings in Context
[subprocess-shell-true] expected: The code needs to invoke commands and external CLIs (openclaw, gog, user commands), so subprocess usage is expected. However many calls use shell=True with values derived from job configs or outputs, which is a shell-injection risk if those fields are not strictly sanitized or trusted.
[http-network-io] expected: Diff engine and router make outbound HTTP(S) requests (urllib.request.urlopen and webhook POSTs). This aligns with the advertised 'diff http' and webhook routing features, but it enables requests to arbitrary URLs (including internal IPs) which can facilitate exfiltration if job configs are malicious or misconfigured.
[local-file-read] expected: Diffs support reading arbitrary files (file type diffs). That is expected for change-detection features, but it means local files (including sensitive ones) can be read and included in DAC_CONTEXT or routed externally if job configs point to them.
[writes-state-to-disk] expected: The skill persistently stores state, logs, and delivery history. This is consistent with a stateful cron but may capture sensitive outputs — review storage permissions and retention.
[missing-declared-deps] unexpected: Metadata declares no required binaries or env vars, but SKILL.md and code require openclaw and gog CLIs and read DAC_* env vars. The mismatch can hide runtime failures or unexpected privilege/credential usage.
[unsanitized-input-in-shell] unexpected: Several delivery and diff paths build shell commands embedding config values and message bodies (e.g., openclaw/gog calls) without escaping. Embedding untrusted job config fields or outputs into these shells risks command injection and should be treated as a serious concern unless inputs are validated or shell usage is avoided.
What to consider before installing
This skill appears to implement the advertised features but requires careful handling. Before installing:
- Audit every job config (jobs/*.json). Pay special attention to 'diffs' (file paths, commands, URLs) and 'routes' (webhook URLs, target_id) and remove any targets you don't trust.
- Treat job configs as privileged: do not point diffs at secrets or system files. Avoid command diffs unless you control the commands.
- Run Dial-a-Cron in an isolated/containerized environment with egress controls; consider blocking outbound webhooks unless explicitly whitelisted.
- Ensure openclaw and gog CLIs exist and run with least privilege; verify credential use for those tools.
- Look for subprocess.run(..., shell=True) usages in the code (router.py, diff.py, others) and either sanitize/escape all inputs or modify code to use argument arrays (shell=False).
- If you cannot audit and control job configs and network access, do not install in a production environment. If in doubt, run the scripts in a disposable VM/container and monitor network and file activity.Like a lobster shell, security has layers — review code before you run it.
automationvk970pysy4khdtw3v04bkskd2a584e9axcronvk970pysy4khdtw3v04bkskd2a584e9axlatestvk9700tzr6qtb079na9p40rdgdh84n2tymonitoringvk970pysy4khdtw3v04bkskd2a584e9axorchestrationvk970pysy4khdtw3v04bkskd2a584e9axself-healingvk970pysy4khdtw3v04bkskd2a584e9axstatefulvk970pysy4khdtw3v04bkskd2a584e9ax
License
MIT-0
Free to use, modify, and redistribute. No attribution required.