Back to skill

Security audit

Project Daily Recap

Security checks across malware telemetry and agentic risk

Overview

This is a real scheduled reminder skill, but it can install a persistent cron job and send project recap content to hardcoded messaging recipients that are not clearly controlled by the installer.

Review this carefully before installing. Only use it after editing reminder.sh/config so the message channel, account, and recipient are explicitly yours, and inspect the cron line it will add. Avoid putting sensitive project details in TODAY_PROGRESS or TOMORROW_PLAN unless you are certain where the messages will be delivered.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documentation presents the skill as a simple, zero-LLM reminder, but it also describes behavior that reads local OpenClaw session state, auto-configures a messaging recipient, installs persistence via cron, and sends a test message. That mismatch is dangerous because users may consent to a harmless-looking reminder while unknowingly granting access to session-derived data and automated outbound messaging to potentially unintended recipients.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The script uses `source "$CONFIG_FILE"`, which executes the config file as shell code rather than safely parsing data fields. If an attacker or untrusted process can modify `config`, they can achieve arbitrary command execution with the privileges of the script, which is especially risky in an automated cron-like context common for reminder jobs.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The install instructions do not prominently warn that setup will read session information, configure a WeChat recipient, create a cron job, and immediately send a test message. Hidden side effects during installation increase the risk of unauthorized persistence and accidental data or message disclosure because users may run setup.sh without informed consent.

Session Persistence

Medium
Category
Rogue Agent
Content
git clone <repo-url> project-daily-recap

# 或者直接放在 skills 目录下
mkdir -p project-daily-recap
# 把文件复制进去

# 运行安装脚本
Confidence
90% confidence
Finding
mkdir -p project-daily-recap # 把文件复制进去 # 运行安装脚本 cd project-daily-recap bash setup.sh ``` 安装脚本会自动: 1. ✅ 检测 Node.js 版本 2. ✅ 检测当前 OpenClaw 登录状态 3. ✅ 读取当前会话信息自动配置微信接收人 4. ✅ 写入 cron 定时任务(默认每晚 20:00) 5. ✅

Session Persistence

Medium
Category
Rogue Agent
Content
CRON_CMD="/bin/bash ${SCRIPT_DIR}/reminder.sh"
CRON_LINE="${CRON_EXPR} ${CRON_CMD}"

# 读取现有 crontab
CURRENT_CRON=$(crontab -l 2>/dev/null || true)

# 检查是否已有同一条目
Confidence
79% confidence
Finding
crontab CURRENT_CRON=$(crontab -l 2>/

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.