ClawHub

Opencron Skill Repo

Security checks across malware telemetry and agentic risk

Overview

This is a real cron dashboard skill, but it exposes token-bearing dashboard URLs, fetches unpinned remote content, and runs a persistent sync loop in ways users should review carefully.

Install only if you are comfortable with cron metadata and possibly prompts, outputs, and run history being copied into a dashboard location and served over HTTP. Treat any OpenCron URL containing a token as a secret, avoid exposing it publicly or posting it in job output, prefer localhost or a properly authenticated reverse proxy, and consider pinning or vendoring the dashboard assets before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares no permissions despite clearly describing file reads/writes and outbound network access. This undermines least-privilege review and makes operators more likely to approve capabilities they did not explicitly consent to, especially since the skill also fetches remote content and exposes local cron data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The stated purpose is a visual dashboard, but the documentation describes materially broader behavior: fetching remote HTML from GitHub, modifying local skill/canvas directories, running a persistent sync loop, and serving data over HTTP. This mismatch can mislead reviewers and users about the trust boundary and operational risk, allowing unexpected code/content updates and broader exposure of cron metadata.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The README explicitly documents exposing the dashboard on the machine's public IP and embedding an access token in the URL, which can leak via browser history, logs, referrers, screenshots, and shell history. It also advertises serving cron status and related data over HTTP, increasing the chance of unauthorized access to operational metadata if the token is disclosed or proxy protections are misconfigured.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The documented nginx setup serves run log JSONL files from /runs/, expanding the exposed surface beyond a simple dashboard into potentially sensitive execution history. Cron run logs often contain job names, timings, failure details, command outputs, or secrets accidentally written to logs, so externally serving them creates a meaningful confidentiality risk.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The instructions tell the agent/operator to contact an external IP-discovery service and then construct a public dashboard URL. That causes unnecessary outbound disclosure of environment metadata and normalizes publishing an externally reachable management interface, which is not strictly required for a local cron dashboard.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Mandating that the dashboard link be shown after every cron run exceeds the core display purpose and turns an internal monitoring endpoint into something routinely broadcast. Because the URL includes a bearer-style token, repeated disclosure greatly increases the chance of accidental leakage through logs, chat history, screenshots, or untrusted recipients.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The installer clones a remote repository into the local skills directory and then removes its .git metadata, which performs software deployment rather than a narrowly scoped dashboard install. This creates a supply-chain trust boundary: code and assets from a remote source are installed locally without integrity verification, and removing .git reduces auditability of what was fetched.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script fetches code directly from a GitHub repository and installs it locally, which is a classic supply-chain risk even if intended for legitimate installation. If the repository is compromised or changed unexpectedly, users will execute and trust unreviewed content on their machine.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The installer executes a local Python script obtained from the cloned skill repository, which turns installation into arbitrary code execution from remotely fetched content. This is more dangerous than downloading static dashboard assets because any compromise of the repository or script would immediately execute on the user's system during install/update.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The server binds to 0.0.0.0, making the dashboard and cron-data endpoint reachable from other hosts on the network rather than only the local machine. For a tool described as a local visual dashboard, this unnecessarily expands the attack surface and can expose job names, schedules, run history, or error details to unauthorized users on the LAN.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The /cron-data response sets Access-Control-Allow-Origin: *, allowing any website visited by the user to read the dashboard's cron data from the local service. Combined with a network-exposed or even localhost-accessible dashboard, this enables browser-based exfiltration of scheduling and operational metadata that should remain local.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script fetches HTML from a remote GitHub URL at runtime and writes it directly into the local canvas directory without integrity verification, pinning, or review. This creates a supply-chain and content-injection risk: if the remote content, repository, branch, or delivery path is modified, the local dashboard can silently become malicious and execute in the user's dashboard context.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
A local deployment script for a cron dashboard does not need to retrieve executable UI content from the network during execution, so this capability materially expands the attack surface. Because the downloaded HTML is deployed into a rendered canvas location, a compromised upstream source can inject active content that steals data, misleads users, or abuses the local application environment.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The README instructs users to launch a background sync process with nohup and &, but does not clearly warn that it will continue running independently and periodically process or publish data. Persistent background behavior can surprise users, complicate incident response, and keep exposing or syncing data after the user assumes the setup is finished.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The manual setup says the script fetches the latest dashboard from GitHub and later opens the dashboard on a network-accessible HTTP endpoint, but gives no integrity or privacy warning. Pulling remote content at deploy time and exposing operational data without clear trust and exposure guidance can lead users to unknowingly run unpinned external code/content and publish internal metadata.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The instruction is overly broad and unconditional, with no scope limitation on who should receive the link or under what circumstances. In a multi-user or automated environment, that can cause sensitive operational URLs to be exposed to unintended audiences by default.

Missing User Warnings

High
Confidence
98% confidence
Finding
The quick-start output embeds the gateway token directly in a URL without warning that it is sensitive. Query-string tokens are especially easy to leak via terminal history, browser history, referrers, screenshots, logs, and copy/paste into chats.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script copies local cron job data into a canvas-accessible JSON file, which may expose job names, schedules, commands, paths, or operational metadata to any component or user able to read from that directory. In the context of a visual dashboard, this is more dangerous because the data is intentionally prepared for presentation, increasing the likelihood of unintended disclosure beyond its original storage boundary.

Ssd 3

High
Confidence
99% confidence
Finding
The skill explicitly requires revealing a live dashboard URL containing the gateway token to every user after each cron execution. This is a direct secret disclosure pattern that can grant unauthorized access to cron status, run history, prompts, and related operational data if the link is intercepted or forwarded.

Ssd 3

High
Confidence
99% confidence
Finding
The quick-start section instructs operators to construct and display a public URL with the gateway token embedded in plain text. This exposes a credential in a form that is routinely captured by shells, documentation, browsers, proxies, and collaboration tools.

Session Persistence

Medium
Category
Rogue Agent
Content
### 2. Start the background sync

```bash
nohup sh skills/opencron/watch_sync.sh &
```

Keeps `cron-data.json` in sync with `jobs.json` every 30 seconds.
Confidence
83% confidence
Finding
nohup

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal