ClawHub

Dial A Cron

Security checks across malware telemetry and agentic risk

Overview

Dial-a-Cron is transparent about being powerful, but its configs can run shell commands, read local/network data, persist outputs, and send them externally without strong built-in limits.

Install only if you will audit every job config and run it under a low-privilege, isolated account or container. Restrict DAC_JOBS_DIR, DAC_STATE_DIR, and DAC_LOG_DIR permissions; avoid jobs that output secrets; and allowlist or disable command diffs, arbitrary HTTP targets, webhooks, email, A2A, Telegram, and file routes. The pending VirusTotal telemetry was not used as the basis for this verdict.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd = spec["cmd"]
    label = spec.get("label", cmd[:40])
    try:
        result = subprocess.run(
            cmd, shell=True, capture_output=True, text=True, timeout=15
        )
        output = result.stdout.strip()
Confidence
97% confidence
Finding
result = subprocess.run( cmd, shell=True, capture_output=True, text=True, timeout=15 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
target = spec.target_id or spec.to
        try:
            cmd = f'openclaw message send --to "{target}" --message "{message[:4000]}"'
            result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
            if result.returncode != 0:
                return f"Telegram delivery failed: {result.stderr[:200]}"
            return None
Confidence
99% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
agent = spec.target_id or spec.to
        try:
            cmd = f'openclaw a2a send --to "{agent}" --message "{message[:2000]}"'
            result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
            if result.returncode != 0:
                return f"A2A delivery failed: {result.stderr[:200]}"
            return None
Confidence
99% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
subject = f"[Dial-a-Cron] [{severity.upper()}] {self.job_id}"
            full_body = f"{summary}\n\n{body[:4000]}" if body != summary else summary
            cmd = f'gog gmail send --to "{to_addr}" --subject "{subject}" --body "{full_body[:4000]}"'
            result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
            if result.returncode != 0:
                return f"Email failed: {result.stderr[:200]}"
            return None
Confidence
99% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)

Tainted flow: 'log_path' from os.environ.get (line 78, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
log_path = str(Path(LOG_DIR) / f"{job_id}.log")
        now = datetime.now(timezone.utc).isoformat()
        entry = f"[{now}] [{severity.upper()}] {summary}\n"
        with open(log_path, "a") as f:
            f.write(entry)
        return log_path
Confidence
81% confidence
Finding
with open(log_path, "a") as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill metadata advertises broad capabilities in prose, but it does not declare permissions in a structured way despite having effective access to environment data, local files, network, shell execution, and file writes. This creates a real trust and review gap: installers or policy engines may under-estimate the skill's reach, making dangerous behavior easier to approve or run without proper isolation.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Allowing arbitrary command execution materially expands the skill beyond simple diffing into general host command execution. In the stated OpenClaw context with persistent memory, HTTP, file reads, and shell access, this broader capability increases the chance of abuse for data exfiltration, lateral movement, or destructive actions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README promotes automatic routing of cron output to external channels such as Telegram and Slack but does not warn that job output may contain secrets, internal system details, or other sensitive data. In a stateful automation skill with broad I/O and shell execution, this omission materially increases the risk of unintended data exfiltration through normal feature use.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README advertises persistent memory between runs without describing what data is stored, how long it is retained, or whether sensitive outputs may be persisted. Because this skill is stateful and designed to process cron job results over time, users may unknowingly retain secrets, personal data, or operational artifacts on disk, expanding exposure if the host or state store is accessed.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Webhook delivery sends summary and body content to an arbitrary external URL with no in-code consent, trust boundary enforcement, or destination restrictions. In a skill explicitly described as stateful with broad I/O and persistent memory, this creates a real exfiltration channel for sensitive cron output and internal state.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
File delivery writes routed content to any path supplied in target_id and creates parent directories automatically. In this skill context, that can expose sensitive job output to unintended locations or enable unauthorized file writes within the agent's filesystem scope.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Email delivery transmits routed content externally through the gog CLI without any approval flow or destination control. Given this skill's broad I/O and persistent routing behavior, that is a meaningful exfiltration risk for sensitive summaries, bodies, and job metadata.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
- Run in an **isolated environment** with limited network access (consider denying outbound webhooks if you do not want potential exfiltration).
- Ensure `openclaw` and `gog` CLIs exist and run with least privilege.
- Whitelist HTTP targets and restrict diff file paths to specific safe directories. Avoid diffs on secrets or system files.
- The code uses `subprocess.run(..., shell=True)` with values from job configs and outputs — unsanitized fields could allow shell injection.
- The skill can read arbitrary local files, make HTTP requests (including to internal IPs), and post outputs to external endpoints.
- Persisted state/logs may contain sensitive data from jobs — review storage permissions.
Confidence
97% confidence
Finding
subprocess.run(..., shell=True

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal