ClawHub

Chronos

Security checks across malware telemetry and agentic risk

Overview

Chronos is a disclosed local recurring-task and reminder tool, but it can change task data, manage cron reminders, send todo content to a configured chat, and run optional workspace-memory handlers.

Install only if you want Chronos to manage your local todo.db and OpenClaw cron reminders. Configure the chat ID intentionally, treat todo snapshots as potentially sensitive, back up todo.db before any --apply maintenance command, and avoid enabling meta-review or subagent-memory handlers unless you trust the workspace files and helper scripts they read and update.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill exposes meaningful capabilities including environment access, filesystem read/write, and shell execution, but does not declare permissions or boundaries. In an agent ecosystem, this weakens reviewability and informed consent, making it easier for a task-management skill to access workspace data or invoke commands beyond what a user would reasonably expect.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior goes well beyond a generic periodic task manager: it can mutate legacy database records, perform cleanup and schema changes, manage external cron state, invoke special handlers, and read/write workspace memory and other files. This mismatch is dangerous because users and reviewers may authorize the skill for low-risk scheduling purposes while it actually has broad side effects across the database, filesystem, and external tooling.

Context-Inappropriate Capability

High
Confidence
92% confidence
Finding
The plan explicitly introduces `special_handler` execution for system tasks and fallback workflows that can run operational logic based on task metadata. Turning a scheduler into an execution engine creates a dangerous privilege boundary: if task rows or handler payloads are created or modified without strict controls, an attacker could trigger unintended code paths, side effects, file writes, or system operations via scheduled completion flows.

Context-Inappropriate Capability

High
Confidence
86% confidence
Finding
The document proposes managing a memory-sync system task within Chronos or adjacent orchestration logic, which extends the scheduler into sensitive internal state-management operations. If such tasks are exposed through the same task model as user-manageable schedules, attackers may gain a path to trigger synchronization routines, influence agent memory state, or abuse scheduled execution for non-scheduling system behavior.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill is described as a periodic task manager, but it also reads from the general entries table and sends a unified todo snapshot that includes non-periodic tasks. This expands access to unrelated user data and creates a scope-creep privacy issue, especially because the snapshot is later transmitted to an external chat target.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The todo entrypoint includes subagent memory synchronization capabilities unrelated to task management, expanding its authority far beyond the declared skill scope. This violates least privilege and creates an unexpected path for reading, mutating, and marking synchronization state in another subsystem from a broadly reachable command surface.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
Overdue-task handling directly inspects workspace knowledge files like PREDICTIONS.md and FRICTION.md and appends persistent memory log entries, even though this is outside normal todo completion behavior. This couples unrelated sensitive workspace content to routine scheduling actions and can expose or mutate contextual data without clear user intent.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This code can enumerate pending subagent sessions, invoke synchronization, and mark sessions as failed or synced, allowing a periodic-task tool to change the state of the subagent memory ledger. In context, that is especially dangerous because overdue task completion can trigger these actions automatically, creating cross-domain side effects without clear separation or approval.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
Task names, predictions, outcomes, and lessons are forwarded to an external helper process without any visible user consent, disclosure, or data-minimization controls. In a scheduler context, those fields may contain sensitive operational details, incident information, or business context, so silent transmission to another component meaningfully increases privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The document recommends running a command with `--apply` against a live workspace database, which performs irreversible cleanup, but it does not place a clear warning immediately around the destructive command. In an agent-skill context, users or downstream automation may copy the command verbatim, increasing the risk of unintended data modification or deletion even though the cleanup logic is described as low-risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script prints the fully resolved chat ID directly to stdout, which can expose a sensitive messaging destination identifier in terminals, CI logs, shell history captures, screenshots, or support bundles. In a task-scheduler/admin utility context, configuration checks are likely to be run during troubleshooting and automation, increasing the chance that this identifier is broadly visible beyond intended operators.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The code builds a snapshot of today's tasks, including non-periodic entries, and sends it to an external chat target via cron without any visible user consent or warning in this file. That creates a real confidentiality risk because task text, categories, statuses, and schedule information may contain sensitive personal or business data and are automatically exfiltrated off-system.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The overdue-completion workflow performs state-changing task completion and may invoke fallback handlers automatically, without confirmation or a pre-action warning. In this file's context, that risk is amplified because fallback handlers can touch unrelated workspace files and synchronize subagent memory, so a seemingly routine completion action can silently trigger broader side effects.

Ssd 3

Medium
Confidence
91% confidence
Finding
The subagent sync path writes session counts and per-session synchronization details into a persistent memory log in plain language. That can leak operational metadata or user-/agent-derived identifiers into broader workspace memory, increasing retention and exposure beyond the original processing context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal