Casual Cron
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken parse or destination could create a scheduled message to the wrong chat or channel.
The skill uses the OpenClaw CLI to create scheduled delivery jobs. This is central to the stated purpose and includes confirmation guidance, but users should verify the generated command, recipient, and channel before execution.
Builds `openclaw cron add` command with correct flags ... Always include `--deliver --channel <channel> --to <destination>`.
Before approving a job, confirm the schedule, message text, channel, and recipient—not just the time and job name.
Recurring reminders may keep sending messages until the user cancels or deletes the cron job.
The skill intentionally creates recurring jobs that will continue sending messages. This is expected for a cron scheduler, but it is persistent behavior.
### /every (repeating) ... Always include `--deliver --channel <channel> --to <destination>`.
Use conservative repeat intervals, review active cron jobs periodically, and delete jobs that are no longer needed.
It may be unclear which copy of the skill or helper script is the active one.
The nested skill metadata reports version 1.1.0 while the registry/top-level metadata reports 1.2.0, and the manifest includes duplicate root and nested copies of SKILL.md and cron_builder.py. This is a packaging/provenance ambiguity rather than direct malicious behavior.
"version": "1.1.0"
Prefer a cleaned package with one canonical skill path and consistent version metadata.