Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Cron Mastery Zc
v1.0.0Master OpenClaw's timing systems. Use for scheduling reliable reminders, setting up periodic maintenance (janitor jobs), and understanding when to use Cron v...
⭐ 0· 103·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description and the instructions consistently describe cron scheduling, one-shot reminders, janitor cleanup, and timezone handling. There are no unrelated requested env vars or binaries, and the included templates match the stated purpose.
Instruction Scope
SKILL.md explicitly instructs agents to: edit MEMORY.md to store user timezone; delete a gateway state file (~/.openclaw/state/cron/jobs.json); run janitor jobs with sessionTarget: "main" (which can list and delete other cron jobs); and create AgentTurn payloads that announce to Telegram channels/IDs. These are functional for a scheduler but they reach into persistent state, system paths, and global job lists—operations that expand the skill's runtime privileges and could be abused or cause collateral impact if misapplied.
Install Mechanism
Instruction-only skill with no install spec and no code files. This minimizes installation risk because nothing is written to disk by the skill bundle itself.
Credentials
The skill declares no required environment variables or credentials, which is proportionate. However, the examples use delivery channels (telegram) and concrete recipient IDs; while examples are fine, in practice sending proactive messages will depend on platform-level credentials and permissions outside the skill. The SKILL.md does not request or explain these credentials, which is reasonable but means operators must ensure proper credential scoping.
Persistence & Privilege
The skill does not request 'always: true', but it instructs using the 'main' session for janitor tasks and recommends manual deletion of gateway state files. Those instructions imply and rely on a session with broad tool access and the ability to modify global scheduler state and filesystem paths—privileges that are beyond a simple helper and warrant caution.
What to consider before installing
This skill appears to be a detailed guide for scheduling and cleanup, but it tells agents to edit memory files, delete gateway state (~/.openclaw/state/cron/jobs.json), and run janitor jobs from the 'main' session which can list/delete other cron jobs. Before installing or using: (1) Confirm you want agents that can modify global scheduler state and filesystem paths; back up jobs.json before following deletion steps. (2) Prefer least-privilege: avoid running janitor tasks from a session with unnecessary rights unless you trust the job definitions. (3) Review any templates that send messages to external channels (e.g., Telegram) and replace example recipient IDs with verified targets. (4) If possible, test on a non-production instance first. If you want, I can point out specific lines to change to make the guidance safer (e.g., add a backup step, require explicit confirmation before deletions, avoid hardcoded recipient IDs).Like a lobster shell, security has layers — review code before you run it.
latestvk971jtb8bz5mmwsb6vacv07dvx83n4f4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.