Clawhub Skill Smart Cron
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: clawhub-skill-smart-cron Version: 1.0.0 The skill is designed to schedule user-defined tasks via `system cron`, requiring the `exec` tool permission as indicated in `skill.json`. The `SKILL.md` describes how user-provided `--task` arguments will be scheduled. This setup creates a significant vulnerability for shell injection (RCE) if the underlying `smart-cron` implementation (not provided in these files) does not properly sanitize the `--task` input before interacting with the system's cron daemon. While there's no evidence of intentional malicious behavior in the provided documentation, the inherent design exposes a critical attack surface.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Scheduled jobs may continue running after the original request until the user pauses or removes them.
The skill is explicitly designed to create recurring cron-based OpenClaw executions. This is persistent automation, but it is disclosed and aligned with the scheduler purpose.
"Zero external dependencies" — uses system cron + OpenClaw orchestration
Review scheduled jobs with `smart-cron list`, check logs, and pause or remove jobs that are no longer needed.
A poorly specified or overly broad scheduled task could repeatedly perform unintended actions.
The skill accepts user-provided task text and schedule expressions, including custom cron passthrough. This is expected for a scheduler, but broad task text can have significant impact if the user schedules destructive or sensitive actions.
`smart-cron add <schedule> --task <task>` | Schedule a new task
Only schedule explicit, bounded tasks, preview next run times, and avoid recurring jobs that delete, publish, or modify important data unless you have reviewed them carefully.
The skill may not work as documented unless a compatible `smart-cron` command already exists, and that command’s provenance is not verified by this package.
The reviewed package does not include or install the documented `smart-cron` implementation. If the command is used, its actual source would need to be verified outside these artifacts.
No install spec — this is an instruction-only skill.
Install or run only a trusted `smart-cron` implementation, and verify the referenced repository before relying on the commands.
Local logs may retain information about tasks such as email summaries, reports, server checks, or failures.
The skill stores persistent job configuration and execution logs locally. This is disclosed and purpose-aligned, but scheduled task names, errors, and outputs may contain sensitive context.
All job configs and logs stored locally at `~/.openclaw/workspace/smart-cron-data/`. SQLite, no telemetry.
Review the log retention setting and avoid putting secrets or sensitive content directly into scheduled task descriptions.
Failure messages may reveal task names, timing, and error details to the configured messaging channel.
The skill may send failure notifications to an external messaging channel. This is disclosed and fits the alerting feature, but the artifacts do not detail what credentials or message boundaries are used.
Failure alerts — WhatsApp/Telegram alert if a job fails
Configure alerts only for trusted channels and avoid including sensitive information in scheduled task names or outputs.