ClawHub

OpenClaw Cron Guardrails

Security checks across malware telemetry and agentic risk

Overview

This cron helper is mostly transparent, but it normalizes recurring session prompt injection and can create or edit scheduled agent jobs, so users should review it carefully before installing.

Install only if you intentionally want a helper that can manage OpenClaw cron jobs and recurring agent actions. Review any job before applying it, avoid using the session/thread prompt-injection patterns, and only use webhook delivery with trusted endpoints and non-sensitive output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(json.dumps({"ok": True, "mode": "dry-run", "validation": validation, "render": rendered}, ensure_ascii=False, indent=2))
        raise SystemExit(0)

    proc = subprocess.run(command, shell=True, text=True, capture_output=True)
    result = {
        "ok": proc.returncode == 0,
        "mode": "apply",
Confidence
99% confidence
Finding
proc = subprocess.run(command, shell=True, text=True, capture_output=True)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation guidance tells the agent to use this skill whenever a user wants any scheduled or repeated action, even if they never mention cron, and the metadata also covers broad natural-language reminders, recurring nudges, and repeated prompt injection. That broad trigger surface can cause the skill to engage in ordinary conversation and steer the agent toward file/script/shell-backed cron workflows unnecessarily, which raises the risk of unintended job creation, misrouting, or repeated prompt injection into a session/thread.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation guidance is intentionally broad enough to trigger on common natural-language scheduling phrases, which can cause the skill to activate outside a tightly bounded cron-management context. In an agentic system, overly broad routing increases the chance of misclassification and unintended execution of scheduled actions, including recurring nudges or thread/session injections, making this a real security-relevant issue even if not overtly malicious.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The webhook pattern explicitly routes cron output to an external HTTP endpoint, but the guidance does not warn that scheduled jobs may transmit prompts, results, or derived sensitive data outside the local/chat environment. In a scheduling skill, this is materially risky because users may copy the pattern for internal jobs without realizing they are creating an automated exfiltration path to a third-party service.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script performs immediate shell execution when --apply is supplied, without an additional confirmation or warning at the dangerous step. In a scheduling/agent skill context, this increases the chance that a user or upstream tool unintentionally causes execution of a sensitive cron-creation command or a maliciously altered rendered command.

Ssd 2

Medium
Confidence
98% confidence
Finding
The example explicitly models 'prompt injection' against the current session agent as a valid schedulable intent, which normalizes an adversarial action into supported workflow behavior. In a cron/scheduled-actions skill, this is especially dangerous because it enables repeated, automated injection attempts against an active agent/session, increasing persistence and blast radius beyond a one-off unsafe prompt.

Ssd 2

Medium
Confidence
99% confidence
Finding
The usage example repeats an attack-phrased command instructing prompt injection into the current session agent, effectively providing copy-pastable guidance for misuse. Because this skill is specifically for creating and routing cron jobs, documenting this as normal usage lowers operator caution and can directly facilitate recurring adversarial actions in live sessions.

Ssd 2

Medium
Confidence
91% confidence
Finding
The parser intentionally recognizes phrases like 'nudge this session', 'push this thread', and 'inject prompt' as session-injection intent, which can normalize or enable repeated prompt delivery into the current conversation context. In a cron/scheduled-action skill, that is security-relevant because misclassification or permissive handling of these requests can lead to unauthorized persistence, repeated prompt injection, or routing of automated content into an active session/thread.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal