ClawHub

Script Cron Jobs (no LLM)

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-built for scheduled script automation, but it creates a persistent hook that can run local shell scripts unattended with the gateway user's privileges and environment.

Install only if you intentionally want OpenClaw to run local bash scripts automatically. Treat ~/.openclaw/cron-scripts as a trusted-code directory, lock down its permissions, review every script before adding it, and prefer a low-privilege gateway account because scripts can access that user's files, network, and environment variables.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill explicitly installs a startup hook and executes arbitrary shell scripts from a watched directory, yet the metadata does not declare permissions corresponding to shell execution or environment access. That gap is dangerous because it obscures the true trust boundary: any script dropped into the directory will run as the gateway user, making review and consent incomplete.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose understates several sensitive behaviors: persistent startup execution, filesystem watching with hot reload, dynamic job registration, and notification/network egress. This mismatch is risky because users may approve a seemingly simple scheduler without realizing it establishes a persistent execution mechanism that can run arbitrary commands and send data out.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Although the constraints section briefly notes that scripts run as the gateway user, the skill lacks a clear upfront security warning that this enables arbitrary local command execution with that user's privileges. In context, this is especially dangerous because the skill's whole purpose is unattended scheduled execution, increasing the chance that users treat it as harmless automation rather than a privileged persistence and execution surface.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The loader executes arbitrary `.sh` files from a user-writable directory and explicitly passes the full inherited process environment into each script. In this context, that environment may contain API keys, tokens, database credentials, or other sensitive runtime secrets, so any scheduled script can read and exfiltrate them without further privilege escalation. The skill context makes this more dangerous, not less, because its stated purpose is to run shell scripts automatically and without LLM involvement, increasing the chance of unattended secret exposure.

Session Persistence

Medium
Category
Rogue Agent
Content
Copy `hooks/cron-scripts-loader/handler.ts` from this skill into your OpenClaw hooks directory:

```bash
mkdir -p ~/.openclaw/hooks/cron-scripts-loader
cp <skill-dir>/hooks/cron-scripts-loader/handler.ts \
   ~/.openclaw/hooks/cron-scripts-loader/handler.ts
```
Confidence
88% confidence
Finding
mkdir -p ~/.openclaw/hooks/cron-scripts-loader cp <skill-dir>/hooks/cron-scripts-loader/handler.ts \ ~/.openclaw/hooks/cron-scripts-loader/handler.ts ``` Then restart the gateway: ```bash opencla

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal