ClawHub

Reminder OC Cron Based

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it advertises: manage OpenClaw cron-based chat reminders, with normal caution around scheduled messages and the optional local helper script.

Before installing, remember that reminder text and delivery routing may be stored in scheduled cron jobs until they run or are canceled. Verify the time, message, channel, target, and account before creating reminders, and use the optional helper script only from an environment where OPENCLAW_BIN and OPENCLAW_REMINDER_* variables are trusted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Tainted flow: 'cmd' from os.environ.get (line 86, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
def run_openclaw(args):
    cmd = [OPENCLAW_BIN, "cron", *args]
    proc = subprocess.run(cmd, capture_output=True, text=True)
    if proc.returncode != 0:
        raise SystemExit(proc.stderr.strip() or proc.stdout.strip() or f"command failed: {' '.join(cmd)}")
    return proc.stdout.strip()
Confidence
89% confidence
Finding
proc = subprocess.run(cmd, capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill explicitly instructs use of a local helper script via `python3 scripts/reminder_cron.py ...` and references environment-dependent behavior, which indicates shell and environment capabilities are part of the skill's operation despite no declared permissions. This creates a real security concern because undeclared execution capabilities reduce transparency and can allow an agent to invoke local commands or consume environment-specific routing/account data without an explicit permission boundary.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal