Skillv1.0.2

ClawScan security

Safe Cron Runner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 4, 2026, 2:27 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (safe background task execution) and do not request unrelated credentials or network access, but there are privacy/operational caveats (logging of commands and an included ISNAD manifest that is not programmatically verified).
Guidance: This skill appears to do what it claims and does not ask for credentials or network access. Before installing, consider: (1) Logs: the runner appends executed commands and output previews to /tmp/safe_cron.log — avoid passing secrets or sensitive arguments to commands you run with this skill, and if you adopt it, change the log path and tighten permissions. (2) Privilege drop: the code only drops privileges when started as root (expected behavior); validate that your runtime environment behaves as you expect. (3) ISNAD manifest: a signed manifest is included but the code does not verify it at runtime — if provenance matters, verify the signature externally. (4) Audit: review/monitor agent use of this skill before allowing autonomous invocations to ensure it isn't used to run unexpected commands. If you want stronger privacy, modify the code to sanitize logged arguments and to write logs to a controlled location with restricted permissions.

Purpose & Capability: okName/description match the code: the module drops privileges when run as root, enforces a timeout, runs subprocesses without shell=True, and logs results. No unexpected binaries, env vars, or external services are requested.
Instruction Scope: noteSKILL.md describes exactly the behaviors implemented in safe_cron.py. However, SKILL.md does not call out that the runner writes an audit log to /tmp/safe_cron.log containing the joined command string and stdout/stderr previews — this can leak arguments or sensitive data. Also the bundle includes an ISNAD manifest and PGP signature, but the runtime code does not verify the manifest or signature.
Install Mechanism: okThere is no install spec (instruction-only skill) and no downloads. The only code is included in the package; nothing is fetched from external URLs during install.
Credentials: noteThe skill requests no environment variables or credentials. A minor proportionality concern: it writes logs to /tmp (world-writable area on many systems), potentially exposing commands/arguments and output. Privilege dropping only takes effect when the process is started as root; otherwise it's a no-op (this is expected but worth noting).
Persistence & Privilege: okalways:false and no install hooks or configuration changes are requested. The skill does allow subprocess execution (normal for a cron runner); autonomous invocation is allowed by default but not in itself a red flag here.