ClawHub

Reminder

Security checks across malware telemetry and agentic risk

Overview

The reminder skill mostly does what it says, but it ships with a pre-filled Telegram recipient that could receive a user’s reminder messages unless replaced.

Install only after deleting or replacing config.env and confirming TO, CHANNEL, TIMEZONE, and REMINDERS_FILE point to your own account and files. Avoid putting sensitive content in reminders until you verify delivery, and periodically review created cron jobs and local reminder logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The setup flow writes recipient identifiers and timezone data into a persistent config.env file on disk without an upfront user warning about persistence or local exposure. While not inherently malicious, storing identifiers in plaintext can expose personal data to other local users, backups, logs, or accidental disclosure if file permissions are weak.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill logs reminder contents to a markdown file, which may include sensitive personal or business information such as appointments, financial tasks, health reminders, or contacts. Because this storage behavior is not prominently warned about, users may unknowingly persist sensitive text on disk where it can be read by other processes, users, backups, or sync tools.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script automatically edits the user's reminders file by marking due reminders as completed and permanently deleting completed reminders older than 24 hours, without any confirmation, dry-run mode, or user-visible warning at execution time. In an agent context, this creates integrity and auditability risk because reminder history can be altered or erased automatically, making it easy for users to miss reminders or lose records unexpectedly.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The script automatically sources a local config.env file, which executes shell syntax in the current process rather than merely parsing key/value pairs. If that file is modified by another user, package, or supply-chain process, arbitrary shell commands could run when the skill is invoked, and hidden settings such as recipients or channels could alter reminder delivery without clear user awareness.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends the reminder message and recipient to an external delivery mechanism via `openclaw cron add --deliver --channel ... --to ...` without any explicit user warning or consent step. Because reminder text can contain sensitive personal or business information, silently transmitting it to third-party channels increases privacy and data leakage risk in the context of a natural-language reminder skill.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The script appends the reminder text and schedule to a markdown file in the user's home directory without prominently disclosing that persistent local logging will occur. This can expose sensitive reminder contents to other local users, backups, or later unintended disclosure, especially if the file permissions are too broad.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal