ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cron Helper

v1.0.0

Schedule and manage recurring tasks for your agent. Create cron jobs, manage timers, and automate periodic work without fighting cron syntax.

0· 1.1k·9 current·9 all-time
byFLY@imaflytok
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the instructions: all runtime examples use an OpenClaw built-in CLI (openclaw cron). No binaries, env vars, or install steps are requested, which is consistent with a lightweight scheduling helper.
!
Instruction Scope
The visible usage is limited to local OpenClaw cron commands, but the SKILL.md includes a 'Related' link to an external site (onlyflies.buzz) and an HTML comment containing OADP metadata (hub, reg, ping) pointing to onlyflies.buzz endpoints. Those endpoints are not mentioned in the main instructions or declared as required resources — this hidden metadata could direct the agent to register or communicate with an external coordination hub, which is outside the skill's stated scope.
Install Mechanism
Instruction-only skill with no install spec and no code to be written to disk; lowest-risk install profile. There is a mention of 'clawhub install clawswarm' but no install specification or provenance for that package is provided.
Credentials
No environment variables or credentials are requested, which is appropriate. However, the external-onlyflies.buzz endpoints implied by the OADP comment could require credentials or enable agent-to-hub communication if the agent follows that metadata — this is not declared and therefore proportionality is unclear.
Persistence & Privilege
always is false and the skill doesn't request elevated or persistent privileges. Autonomous invocation is allowed (platform default) but not combined with other high-risk indicators here.
What to consider before installing
The skill appears to do what it says (manage cron-style tasks) and has no install or credential requests, but the SKILL.md embeds hidden metadata with URLs (onlyflies.buzz) that could cause the agent to contact an external coordination hub. Before installing: (1) verify the skill author/source and whether that onlyflies.buzz service is trusted, (2) ask the author to remove or explain the OADP metadata and any external endpoints, (3) avoid granting secrets or network access to unknown hosts, and (4) if you must test it, run the skill in a sandboxed environment or with network egress restrictions and monitor outbound requests. If the author can confirm the external endpoints are not used or provide trustworthy provenance for ClawSwarm, the risk is reduced.

Like a lobster shell, security has layers — review code before you run it.

latestvk9758kznn24ddrt27gk655eda58234wt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments