Opencron Skill Repo
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
OpenCron appears to be a real cron dashboard, but it can start a persistent unauthenticated web server that exposes local cron job and run-history data, and it relies on unpinned HTML fetched from GitHub.
Install only if you are comfortable exposing your OpenClaw cron job data through a local dashboard. Before use, confirm who can reach port 18790, consider binding to localhost or adding auth, and avoid running the background sync/server continuously unless you need it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can reach that port may be able to view cron job definitions and run history, which could reveal commands, schedules, operational details, or sensitive output.
The skill explicitly embeds local cron job and run-history data into a web page served without authentication on an exposed port.
reads live job data and run history from disk, and serves a complete page with data embedded — no client-side fetch, no auth. Port 18790 (bridge port) is already exposed by every OpenClaw container.
Bind the dashboard to localhost only where possible, add authentication or access checks, minimize the data embedded in the page, and make exposure of cron data an explicit user choice.
The dashboard server may be started and left running in the background, exposing cron data even when the user did not explicitly request a dashboard session.
The instructions tell the agent to start a long-running server automatically as part of any cron job completion flow, not only when the user asks to open the dashboard.
After Every Cron Job Run ... If the server isn't running, start it: `nohup python3 skills/opencron/serve.py --port 18790 &` ... This should be the last line of output after every cron job execution
Require explicit user approval before starting the server, clearly show when it is running, and provide stop/disable instructions.
A future change or compromise of the remote dashboard HTML could change what runs in the user's browser and could read the embedded cron data.
The live dashboard HTML is downloaded from the mutable `master` branch without a pinned commit, checksum, or signature, then used as the page that receives embedded local cron data.
DASHBOARD_URL = "https://raw.githubusercontent.com/firstfloris/opencron/master/cron-dashboard.html" ... data = urllib.request.urlopen(DASHBOARD_URL).read()
Bundle the reviewed dashboard HTML with the skill, or pin the remote file by commit and verify integrity before serving it.
If the user starts this script, it will keep running and repeatedly write updated dashboard files until manually stopped.
The skill includes a documented background loop that refreshes generated dashboard files every 30 seconds.
while true; do
python3 "$SCRIPT_DIR/update_canvas.py" --sync 2>/dev/null
sleep 30
doneOnly run the sync loop when needed, and document a clear stop command and cleanup process.