Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Reminder
v1.0.1Set reminders using natural language. Automatically creates one-time cron jobs and logs to markdown.
⭐ 0· 71·0 current·0 all-time
byАлексей Дворников@dvornikov-dev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description (natural-language reminders, cron scheduling, markdown logging) align with the code and declared binaries: scripts use 'openclaw cron add', write a reminders file, and require bash/date/jq/openclaw. Requiring the openclaw CLI is expected for this purpose.
Instruction Scope
SKILL.md and the scripts disagree about log formats and processing. create-reminder.sh and create-recurring.sh append lines like '- [scheduled] ...' or '- [recurring] ...', but check-reminders.sh only looks for '- [ ] ...' and marks them '[x]'. As written, check-reminders will not detect or mark the reminders created by the other scripts. The parsing and sed replacement logic is brittle (fragile regex escaping) and could fail on messages with special characters, causing missed sends or incorrect edits. There are also assumptions about input capitalization and timezone formats that are brittle (e.g., weekday matching and TIMEZONE fallback).
Install Mechanism
Instruction-only skill with bundled shell scripts; no network downloads or installers. Nothing writes binaries to unexpected locations. Low install surface, but the included scripts will write files at runtime (config.env in the skill directory and the user REMINDERS_FILE).
Credentials
Registry metadata lists no required environment variables, but SKILL.md clearly requires/configures TIMEZONE and TO (recipient ID) and will write them into config.env; these are necessary for operation. No unexpected secret-scoped env vars are requested, but the inconsistency between the registry metadata and the runtime configuration is misleading and should be clarified. The skill will create/modify ~/reminders.md (or a configured path), which is proportionate but worth noting.
Persistence & Privilege
always:false (no forced permanent inclusion). The skill writes its own config.env and a reminders file and creates scheduled jobs via the platform's openclaw cron API — this is expected for a reminder tool. It does not attempt to modify other skills or global agent settings.
What to consider before installing
This skill appears to be a genuine reminder tool, but there are clear implementation mismatches and fragile text parsing that could cause reminders to be ignored or your reminders file to be edited incorrectly. Before installing or trusting it with real reminders:
- Inspect and back up the target reminders file (default ~/reminders.md).
- Review and, if needed, edit config.env (it will contain your recipient ID). Don’t put secrets there unless you understand the implications.
- Test with a non-critical recipient (your own test ID) to confirm create-reminder.sh and create-recurring.sh actually schedule and deliver as expected.
- Be aware that check-reminders.sh expects a different log format ("- [ ] ...") than the create scripts produce ("- [scheduled] ..." / "- [recurring] ..."); either adjust the scripts or the logging format before relying on it.
- Because the scripts use sed/grep and date parsing, messages containing unusual characters or ambiguous time phrases may break parsing — consider adding stricter escaping or safer parsing before wide use.
If you want help, I can suggest minimal fixes to align logging/parsing and harden the sed/regex usage so reminders aren't lost or corrupted.Like a lobster shell, security has layers — review code before you run it.
latestvk971zk9ef9525ke1k4zh422k6n83ax9s
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⏰ Clawdis
Binsbash, date, jq, openclaw