Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
appointment-scheduler
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Review recommended: the scheduler is mostly coherent, but one cancellation path uses unsafe shell command construction, and the skill handles customer data, reminders, and calendar access.
Before installing, decide whether you are comfortable storing customer contact and no-show data under ~/.openclaw, using Google Calendar OAuth, and enabling cron-based reminders. Avoid using --notify-waitlist in cancel-booking.js until the shell command is fixed, or patch it to use safe argument passing.
Static analysis
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Cancelling a booking with waitlist notification could become a path to run unintended local commands if a crafted booking ID is present.
Why it was flagged
The command interpolates bookingId into a shell string instead of passing it as an argument array. Generated booking IDs appear to be hex, but if local booking data is poisoned or a crafted ID reaches this path, extra shell commands could run under the user's account.
Skill content
const output = execSync(`node "${scriptPath}" notify --booking-id ${bookingId}`, {Recommendation
Replace execSync with execFile or spawn using argument arrays, and validate booking IDs with a strict pattern such as /^[a-f0-9]{12}$/ before use.
What this means
Installing the skill's dependencies will pull code from the npm ecosystem.
Why it was flagged
The skill relies on npm packages for parsing and Google API access. This is expected for the stated purpose, and a package-lock is present, but users should recognize that setup installs third-party code.
Skill content
"dependencies": { "chrono-node": "^2.7.0", "googleapis": "^128.0.0" }Recommendation
Install from a trusted copy of the skill, prefer npm ci when using the provided lockfile, and review dependency updates before refreshing them.
What this means
If enabled, the skill can create calendar events using the authorized Google account and calendar scope.
Why it was flagged
The Google Calendar sync uses a local OAuth token and requests the broad Calendar scope. That matches calendar sync, but it grants meaningful authority over the user's Google Calendar account.
Skill content
const TOKEN_PATH = path.join(process.env.HOME, '.secrets', 'google-calendar-token.json'); ... scope: ['https://www.googleapis.com/auth/calendar']
Recommendation
Use a dedicated business calendar or account if possible, review the OAuth consent screen carefully, and revoke the token if you stop using the skill.
What this means
Customer appointment details may be stored in Google Calendar and become visible to anyone with access to that calendar.
Why it was flagged
Calendar sync sends customer names, phone numbers, and notes into Google Calendar events. This is purpose-aligned but is an external provider data flow involving customer information.
Skill content
description: `고객: ${booking.customer.name}\n전화: ${booking.customer.phone || 'N/A'}\n메모: ${booking.notes || 'N/A'}` ... calendar.events.insert({ calendarId: calendarId, resource: event })Recommendation
Use a calendar with appropriate sharing settings, avoid placing unnecessary sensitive notes in bookings, and inform staff/customers as appropriate for your privacy obligations.
What this means
Customer contact details and no-show flags may remain on disk and influence later scheduling or deposit decisions.
Why it was flagged
The skill persists customer no-show history and flagged-customer records that can affect future booking decisions. This is part of the stated no-show feature, but it is sensitive persistent context.
Skill content
history.push({ customer_name: booking.customer.name, customer_phone: booking.customer.phone, customer_email: booking.customer.email, ... }); ... flagged[key] = { ... require_deposit: ... }Recommendation
Set a retention policy for no-show records, restrict access to the workspace data directory, and periodically review or delete stale flagged-customer entries.
What this means
If you add the cron jobs, reminders or calendar sync can run repeatedly without a fresh manual prompt each time.
Why it was flagged
The README documents cron jobs for recurring reminders and calendar sync. This background automation is disclosed and purpose-aligned, but it can keep acting after initial setup.
Skill content
0 9 * * * cd /Users/mupeng/.openclaw/workspace/skills/appointment-scheduler/scripts && node send-reminders.js --type day-before ... */30 * * * * cd /Users/mupeng/.openclaw/workspace/skills/appointment-scheduler/scripts && node sync-google-calendar.js
Recommendation
Only install the cron entries you actually want, monitor the first few runs, and remove the cron jobs when the business no longer uses the skill.