Skillv1.0.3

ClawScan security

To-Do · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 27, 2026, 11:27 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (scheduling future agent actions) matches what it installs and asks for, but the runtime code builds shell commands from user-supplied fields without robust sanitization, creating a real command-injection / misuse risk that the SKILL.md asks users to avoid rather than enforcing.
Guidance: This skill generally does what it says — it schedules the OpenClaw agent to run later — but it currently trusts callers to avoid dangerous inputs instead of enforcing safety. Before installing: 1) Confirm OPENCLAW_BIN points to a trusted, least-privileged OpenClaw binary. 2) Review or modify to-do.js to avoid shell-based exec interpolation (use spawn/execFile with argument arrays or strictly validate/sanitize userId, channel, and task content). 3) Test scheduling in a non-production environment to confirm no command-injection paths exist (try attacker-style inputs). 4) Prefer restricting scheduled messages to non-sensitive content and avoid embedding secrets or write-access file paths in scheduled instructions. If you want higher assurance, ask the author to add input validation and change exec usage to a safer API; having that change would increase confidence from medium to high.

Review Dimensions

Purpose & Capability: okName/description, required binary (node), and the two env vars (OPENCLAW_BIN, OPENCLAW_TZ) align with a scheduler that calls the OpenClaw agent at a future time. The script uses OS schedulers ('at' / 'schtasks') and invokes the openclaw binary to deliver messages, which is expected for this functionality.
Instruction Scope: concernSKILL.md explicitly instructs careful sanitization (no shell metacharacters, use only raw alphanumeric for user_id/channel) and to create fully self-contained instructions. However the code does not enforce those constraints: userId and channel are interpolated into shell commands without validation or escaping on POSIX/Windows flows. The skill therefore relies on politeness of callers rather than safe code, increasing risk of command injection or scheduling of malicious/overly-privileged actions. The skill also encourages including exact file paths and tool names in scheduled instructions — reasonable for clarity but increases chance of scheduling sensitive operations.
Install Mechanism: okNo install spec (instruction-only with provided JS file). Required runtime is node; no external downloads or archive extraction. Low install risk.
Credentials: noteOnly OPENCLAW_BIN and OPENCLAW_TZ are required, which is proportionate for a scheduler that must call a local openclaw binary and interpret user timezone. However OPENCLAW_BIN points to a binary that will be executed later; if that binary is untrusted or has broad privileges, scheduled tasks can later trigger powerful actions. The skill does not request other secrets or credentials.
Persistence & Privilege: notealways is false (normal). The skill writes nothing itself but creates OS scheduler entries (at/schtasks) which persist and will run the openclaw agent at scheduled times. That persistence is appropriate for a scheduler but does increase blast radius because tasks run autonomously later; combined with the command construction issues this is a significant concern.