Opencron Skill Repo
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: opencron Version: 1.2.0 The skill implements a cron dashboard by fetching a remote HTML template from GitHub (raw.githubusercontent.com) and injecting local job data into it, which is then served via an unauthenticated HTTP server on port 18790 (serve.py) or written directly to the gateway's static UI directory (update_canvas.py). This architecture introduces a significant supply chain risk (RCE via remote template) and potential for unauthorized data exposure, as sensitive cron job details and run history are served without authentication. While these behaviors are high-risk, they appear to be functional components of the dashboard rather than intentional malware.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can reach that port may be able to view cron job definitions and run history, which could reveal commands, schedules, operational details, or sensitive output.
The skill explicitly embeds local cron job and run-history data into a web page served without authentication on an exposed port.
reads live job data and run history from disk, and serves a complete page with data embedded — no client-side fetch, no auth. Port 18790 (bridge port) is already exposed by every OpenClaw container.
Bind the dashboard to localhost only where possible, add authentication or access checks, minimize the data embedded in the page, and make exposure of cron data an explicit user choice.
The dashboard server may be started and left running in the background, exposing cron data even when the user did not explicitly request a dashboard session.
The instructions tell the agent to start a long-running server automatically as part of any cron job completion flow, not only when the user asks to open the dashboard.
After Every Cron Job Run ... If the server isn't running, start it: `nohup python3 skills/opencron/serve.py --port 18790 &` ... This should be the last line of output after every cron job execution
Require explicit user approval before starting the server, clearly show when it is running, and provide stop/disable instructions.
A future change or compromise of the remote dashboard HTML could change what runs in the user's browser and could read the embedded cron data.
The live dashboard HTML is downloaded from the mutable `master` branch without a pinned commit, checksum, or signature, then used as the page that receives embedded local cron data.
DASHBOARD_URL = "https://raw.githubusercontent.com/firstfloris/opencron/master/cron-dashboard.html" ... data = urllib.request.urlopen(DASHBOARD_URL).read()
Bundle the reviewed dashboard HTML with the skill, or pin the remote file by commit and verify integrity before serving it.
If the user starts this script, it will keep running and repeatedly write updated dashboard files until manually stopped.
The skill includes a documented background loop that refreshes generated dashboard files every 30 seconds.
while true; do
python3 "$SCRIPT_DIR/update_canvas.py" --sync 2>/dev/null
sleep 30
doneOnly run the sync loop when needed, and document a clear stop command and cleanup process.