Skillv0.1.5

ClawScan security

OpenClaw Cron Guardrails · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 13, 2026, 11:06 PM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill mostly does what it says (cron guardrails) but has some mismatches and moderate risks: its scripts call the local 'openclaw' CLI (not declared), can execute shell commands (shell=True), and include automatic-fix behavior that can edit jobs — all of which deserve caution before installing.
Guidance: This skill is broadly coherent with its cron-guardrail purpose, but take these precautions before enabling it: - Expect the skill to require the local 'openclaw' CLI and whatever account that CLI uses; the package metadata does not declare that dependency. Confirm the CLI is installed and that you understand which workspace/account/token it will operate under. - Scripts may modify live cron jobs. By default the scripts support dry-run modes, but passing --apply (or using cron_doctor with --apply-errors) will make changes. Do not run with apply flags until you review what the tool will change. - create_cron.py renders a command and then executes it with shell=True when applying. If you plan to use the apply path, inspect render_cron_command.py to verify it properly escapes or constrains fields (untrusted input could lead to shell injection). Prefer printing the rendered command and running it manually. - If you want to reduce risk: run lint_existing_crons.py and create_cron.py in dry-run modes, review outputs, and grant apply only after human approval. Consider running the scripts in a sandboxed account with limited permissions. What would change my assessment to 'benign': the package metadata explicitly listing 'openclaw' as a required binary and documenting the expected account/permission scope, and ensure render/create code avoids shell=True or otherwise sanitizes/executes commands without invoking an unsafe shell. Providing tests or a safety-review for renderer/validator would also increase confidence.

Review Dimensions

Purpose & Capability: concernThe skill's purpose (create/review/repair cron jobs) matches the included scripts which validate, render, list, edit, and fix cron jobs. However the package metadata declares no required binaries or environment but the scripts repeatedly call the local 'openclaw' CLI (e.g., openclaw cron list/add/edit/run). Not declaring this dependency is an incoherence: the skill will fail or behave unexpectedly without the OpenClaw CLI present, and it implicitly assumes the CLI is configured with credentials/permissions.
Instruction Scope: noteSKILL.md and the scripts stay within scheduling/routing scope and explicitly recommend conservative, review-first flows. They do not instruct reading arbitrary user files, but the natural-language parser flags file references and the transformer preserves prompt diagnostics. The runtime scripts call system commands (openclaw CLI) and may run 'openclaw cron run' or 'openclaw cron edit' — operations that change system state. The SKILL.md advises verification, but the code can apply changes if run with apply flags.
Install Mechanism: okThere is no install spec — this is instruction-and-script-only. Nothing is downloaded or written during install, which is low-risk. All code shipped is local Python scripts.
Credentials: concernThe skill declares no required env vars or credentials, but it implicitly requires access to the user's OpenClaw CLI and the account that CLI is authenticated to. That CLI access provides whatever privileges are configured (list, edit, create cron jobs). The lack of declared required binaries/config paths (openclaw CLI, agent credentials) is an omission that hides the real credential/permission scope the skill will use.
Persistence & Privilege: notealways:false (not force-included) and model invocation is allowed (platform default). The scripts include an automated fixer (cron_doctor -> cron_fix) that can run edits when invoked with --apply. While not privileged by default, if an agent runs these with apply, jobs will be modified. This is coherent for a repair tool but increases blast radius if invoked autonomously without human confirmation.