Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Smart Cron
v1.0.0Schedule and manage OpenClaw tasks using natural language with timezone support, failure alerts, logs, and full cron lifecycle commands.
⭐ 0· 924·2 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Skill describes a CLI that manipulates system cron, stores logs locally, and sends WhatsApp/Telegram alerts. The skill.json declares exec and message tools which fit cron manipulation, but SKILL.md also claims 'zero external dependencies' while listing Python 3.8+ and external alert channels — and yet no install artifacts or credentials are provided. The public GitHub URL is referenced but no code is bundled, which is unexpected for a full-featured CLI.
Instruction Scope
Runtime instructions direct the agent to manage crontab entries and write/read data in ~/.openclaw/workspace/smart-cron-data/, which is consistent with scheduling. However, failure-alert behavior (WhatsApp/Telegram) is described but no mechanism, endpoints, or credential setup is given — the agent may need to access external services or secrets not declared. The SKILL.md examples also imply running arbitrary tasks (e.g., 'summarize my emails') that could require unrelated credentials if invoked.
Install Mechanism
No install spec and no code files are included; this reduces disk-write risk (instruction-only). That said, the skill advertises a CLI and links to a GitHub repo but provides no bundled binary or install steps — an inconsistency that requires clarification from the author.
Credentials
The skill requires no environment variables in metadata, yet promises external alerting channels that typically require API keys/tokens (WhatsApp, Telegram). There is no declared primary credential or guidance for configuring credentials — this is disproportionate and ambiguous. The skill will also write to ~/..., and will need permission to edit crontab, which is expected but privilege-sensitive.
Persistence & Privilege
always:false and user-invocable:true (defaults) — no excessive platform persistence is requested. The skill will create local data under ~/.openclaw/workspace/smart-cron-data/ and may modify system crontab; those are expected for a scheduler but are persistent, so users should consent.
What to consider before installing
This skill is plausible but inconsistent in key ways. Before installing or enabling it: (1) verify the referenced GitHub repo and confirm a trustworthy release/binary or install steps (no code is bundled here); (2) ask the author how WhatsApp/Telegram alerts are implemented and what credentials will be needed — don't provide API keys unless you trust the implementation; (3) be aware the agent will run shell commands (exec) and will edit your crontab and write to ~/.openclaw/workspace/smart-cron-data/ — back up your crontab and review any files created; (4) prefer a version that includes source or a vetted install method, or request explicit instructions for credential configuration and a privacy/telemetry statement. If you need high assurance, treat this as untrusted until you can review the upstream code and alert-channel integration.Like a lobster shell, security has layers — review code before you run it.
latestvk971fbyvnsyz2zwf370megngps81vtas
License
MIT-0
Free to use, modify, and redistribute. No attribution required.