ClawHub

Opencron Skill Repo

Security checks across malware telemetry and agentic risk

Overview

This cron dashboard has a coherent purpose, but it exposes local cron data through an unauthenticated network service and trusts mutable GitHub-hosted HTML.

Install only in a trusted, tightly controlled OpenClaw environment. Prefer binding the server to localhost, adding authentication or a protected reverse proxy, vendoring or pinning the dashboard HTML, and disabling the nohup/watch auto-start behavior unless continuous exposure is intentional.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no permissions, yet its documented behavior includes reading cron data from disk, writing/deploying files, and fetching remote HTML over the network. This is a real security issue because it hides the skill's effective trust boundary from users and reviewers, making informed consent and sandboxing difficult.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The declared purpose is a local dashboard, but the documented behavior expands substantially to runtime remote fetches from GitHub, an unauthenticated server, file deployment into UI directories, and a persistent sync loop. That mismatch is dangerous because users may approve a seemingly simple visualization skill without realizing it introduces remote content trust, persistent services, and broader filesystem modification.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The server fetches HTML from a remote GitHub URL at runtime and then serves that content directly to users. Because the fetched file is active HTML/JavaScript, any compromise of the upstream repository, network path, or cached content can become a supply-chain attack that executes in clients and can exfiltrate the embedded cron job and run-history data.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code explicitly serves the dashboard with no authentication and binds to 0.0.0.0, exposing it on all network interfaces. This allows any reachable party to view cron job definitions and run history, which may reveal schedules, operational details, command names, and potentially sensitive output or metadata.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script downloads raw HTML from a remote GitHub URL and then deploys it directly into the application's served UI. Because HTML can contain arbitrary JavaScript, any compromise of the upstream repository, branch, network path, or account could result in client-side code execution in the OpenClaw UI context, making this a supply-chain/XSS-style deployment risk.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The added network capability is used to retrieve UI code that is later served locally, which expands trust boundaries beyond a simple dashboard reader. In this skill context, a visual cron dashboard does not inherently require live remote code retrieval, so the capability increases attack surface and enables remote content injection if the source is tampered with.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README states that the dashboard fetches HTML from GitHub at page load/cache time, but it does not clearly warn operators that the skill performs outbound network access and depends on remote content. This creates a supply-chain and privacy risk: a remote change, compromise, or unexpected network path could alter what is served locally, and users may deploy it without realizing it contacts GitHub.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The markdown explicitly states the dashboard serves embedded job and run-history data with 'no auth' and notes the port is exposed by every container, but provides no warning about exposing potentially sensitive operational metadata. In this context, cron job names, schedules, run history, and embedded page content may be accessible to unintended local or bridged network clients.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The setup instructs users to launch the server with nohup in the background, but does not clearly warn that this creates a persistent process that continues serving data after the initiating session ends. Persistent background services increase attack surface and can be forgotten, especially when paired with an unauthenticated HTTP interface.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The service exposes job and run-history data over unauthenticated HTTP and provides no warning to the operator that sensitive local data is being published. In the OpenClaw context, the bridge port is described as already exposed by containers, which makes accidental disclosure more likely and increases the practical risk.

Session Persistence

Medium
Category
Rogue Agent
Content
### 1. Start the dashboard server

```bash
nohup python3 skills/opencron/serve.py --port 18790 &
```

Fetches the dashboard HTML from GitHub, reads live job data and run history from disk, and serves a complete page with data embedded — no client-side fetch, no auth.
Confidence
84% confidence
Finding
nohup

Session Persistence

Medium
Category
Rogue Agent
Content
```

**Rules:**
- If the server isn't running, start it: `nohup python3 skills/opencron/serve.py --port 18790 &`
- This should be the last line of output after every cron job execution

## Scripts
Confidence
90% confidence
Finding
nohup

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal