Back to skill

Security audit

Sleep Snooze

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its sleep-snooze purpose, but it needs review because it can automatically reveal your sleep window to message senders and persists sensitive message handling locally and through cron.

Install only if you are comfortable with all sleep-time messages being stored locally for digests, message previews appearing in the morning digest, persistent cron jobs being added, and senders potentially being told that you are asleep along with your sleep window. Review or disable the dm-guard auto-reply behavior if that privacy disclosure is not acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill instructs use of environment variables such as SLEEP_START, WAKE_TIME, and TIMEZONE but declares no corresponding permissions or capability disclosure. Undeclared access to environment-derived configuration weakens transparency and makes it harder for users or the platform to understand what data sources the skill depends on.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose is notification snoozing, but the skill also describes broader behavior: intercepting all outgoing agent messages, allowing urgent/VIP bypass logic, and registering cron jobs that persist beyond the current session. This mismatch is dangerous because it expands operational control over communications and system scheduling beyond what a user would reasonably infer from the description.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The setup script installs persistent user cron jobs by invoking shell commands and modifying the user's crontab. While this appears aligned with implementing scheduled sleep/wake behavior, it grants durable execution outside the normal skill runtime and broadens the skill's operational scope, which is risky because any compromise of the script path or arguments would be repeatedly executed on a schedule.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill stores message contents from all connected providers in a local SQLite queue and later summarizes them, but the description does not clearly warn the user about this retention and cross-provider aggregation. This is a privacy issue because sensitive communications may be persisted locally without fully informed consent or clear retention expectations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The hook explicitly states that incoming message content is queued to SQLite and logged for a morning digest, but the skill description does not warn users that message bodies will be retained and summarized later. This creates a privacy and consent issue: users may enable a sleep/snooze feature expecting temporary suppression, not persistent storage of potentially sensitive third-party communications.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The sleep guard instructs agents to classify urgency using a hardcoded English-only keyword list such as 'urgent', 'emergency', and 'help me'. In a multilingual messaging context, urgent messages in other languages or phrasings may be incorrectly queued during the user's sleep window, causing delayed delivery of time-sensitive communications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup guide includes a reset command that irreversibly deletes the skill's local data directory without an explicit warning that queued messages, state, and VIP contact configuration will be lost. Even though it is framed as troubleshooting, users may copy-paste it without understanding the data-loss consequences.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script includes previews of queued message contents in the digest text and emits that digest for delivery via whichever provider(s) OpenClaw has active. That can retransmit private message content to an external service or a different messaging channel than the original source without explicit user consent or warning, creating a confidentiality/privacy leak by design.

Session Persistence

Medium
Category
Rogue Agent
Content
1. Ask for their sleep start time (e.g. "What time do you usually go to bed?")
2. Ask for their wake time (e.g. "What time do you usually wake up?")
3. Ask for their timezone (offer to detect it automatically using `date +%Z`)
4. Run `node ~/.openclaw/skills/sleep-snooze/scripts/sleep-init.js` to write config and register cron jobs
5. Confirm the schedule back to the user: "Sleep snooze is set: 🌙 10:00 PM → ☀️ 6:00 AM (IST). I'll queue notifications overnight and send your digest at 6:00 AM."

## State Management
Confidence
90% confidence
Finding
write config and register cron jobs 5. Confirm the schedule back to the user: "Sleep snooze is set: 🌙 10:00 PM → ☀️ 6:00 AM (IST). I'll queue notifications overnight and send your digest at 6:00 AM."

Tool Parameter Abuse

High
Category
Tool Misuse
Content
**Reset everything:**
```bash
rm -rf ~/.openclaw/skills/sleep-snooze/data/
node ~/.openclaw/skills/sleep-snooze/scripts/sleep-init.js
```
Confidence
94% confidence
Finding
rm -rf ~

Tool Parameter Abuse

High
Category
Tool Misuse
Content
**Reset everything:**
```bash
rm -rf ~/.openclaw/skills/sleep-snooze/data/
node ~/.openclaw/skills/sleep-snooze/scripts/sleep-init.js
```
Confidence
94% confidence
Finding
rm -rf ~/.openclaw/skills/sleep-snooze/data/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.destructive_delete_command

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
hooks/dm-guard/handler.js:31

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/gate.js:54

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/sleep-init.js:50

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
references/setup.md:146