Oban Designer
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: oban-designer Version: 1.0.1 The skill bundle is classified as suspicious due to the presence of risky capabilities demonstrated in the `references/worker-patterns.md` file. Specifically, the `DeliverWebhook` worker example shows how to make external network requests using `Req.post` to a URL provided in job arguments, and the `ImportCSV` worker example demonstrates reading from an arbitrary file path using `File.stream!` also provided in job arguments. While these functionalities are legitimate for background job systems, they represent high-risk capabilities that could be abused for data exfiltration or arbitrary file access if an attacker gains control over job creation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the recommended dependency changes the application supply chain.
The skill tells users to add the external Oban package. This is central to the stated purpose, but it still introduces a dependency that should be reviewed and locked by the user's project.
{:oban, "~> 2.18"}Review the resolved package version and lockfile, use trusted package sources, and test the Oban migration in development or staging first.
A generated or copied cleanup worker could delete application records automatically if deployed.
The cleanup worker example performs database deletion. This is purpose-aligned for a background cleanup pattern and scoped to old records, but copied code would mutate production data.
from(t in MyApp.Accounts.UserToken, where: t.inserted_at < ^cutoff) |> Repo.delete_all()
Review deletion criteria, retention periods, backups, and dry-run behavior before scheduling cleanup jobs in production.
If used without validation, webhook jobs could send data to unintended or untrusted endpoints.
The webhook worker example sends a job-provided payload to a job-provided URL. Webhook delivery is an expected background job use case, but destination and payload handling need validation in real applications.
case Req.post(url, json: payload, headers: headers, receive_timeout: 25_000) do
Validate or allowlist webhook destinations, minimize payload contents, and avoid placing sensitive secrets directly in job arguments unless protected appropriately.
Scheduled workers can repeatedly perform actions such as cleanup, metrics collection, or notifications.
The skill documents recurring background jobs. This persistence is expected for Oban cron scheduling, but recurring jobs continue running after deployment until disabled.
{Oban.Plugins.Cron, crontab: [{"0 2 * * *", MyApp.Workers.DailyCleanup}, {"*/5 * * * *", MyApp.Workers.MetricsCollector}]}Confirm cron schedules, job idempotency, and disable/rollback procedures before enabling recurring jobs in production.