To-Do
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent reminder scheduler, but it builds operating-system scheduler commands from reminder text and other arguments in a way that could allow unintended shell command execution.
Install only if you are comfortable with local OS scheduled jobs waking OpenClaw later. Avoid reminders containing shell characters or secrets, review pending tasks regularly, and prefer a version that validates inputs and avoids shell-string execution.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A specially crafted reminder or argument containing shell syntax could cause local commands to run under the user's account instead of only scheduling a reminder.
The shell command is assembled from scheduler arguments, including reminder text, user/channel routing, timezone, and time. Only single quotes in the instruction are escaped, while other shell-sensitive characters and other arguments are not validated before exec runs the command.
const agentCommand = `${OPENCLAW_BIN} agent --message '${safeInstruction}' --to '${userId}' --channel '${channel}' --deliver`; const atCmd = `echo "${agentCommand} >> /tmp/to-do.log 2>&1" | TZ="${tz}" at "${formattedTime}"`; const res = await execute(atCmd);Do not schedule tasks containing shell metacharacters. The skill should validate userId, channel, timezone, and time strictly, and use safer APIs such as spawn/execFile or scheduler bindings instead of shell string construction.
The agent may act later, after the current conversation, based on the scheduled instruction.
The skill intentionally creates scheduled OS jobs that wake the agent in the future. This is disclosed and central to the purpose, but it is persistent autonomous behavior the user should understand.
programs one-off delayed actions using the OS native scheduler (`at` on Linux/macOS · `schtasks` on Windows). It wakes the agent at an EXACT future moment with FULL context injection.
Review scheduled tasks with the list command and delete any task that is no longer wanted or that was scheduled with unclear instructions.
Sensitive details placed in a reminder may persist in the local scheduler and be reintroduced to the agent later.
The future agent prompt is built from the original task text and stored in the scheduled job until execution. That stored prompt can include sensitive paths, names, URLs, or other details supplied by the user.
const instruction = `[System: Scheduled Task Executed] \n- Created at: ${now}\n- Scheduled for: ${timeArg}\n- Original instruction: ${task}`;Avoid putting secrets or unnecessary private data in scheduled reminders, and keep scheduled instructions specific but minimal.