Back to skill

Security audit

PokeCron · ⌈拍一拍⌋

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed power-user reminder scheduler, but one stored-context feature can leak commitments into later agent prompts more broadly than documented.

Install only if you intentionally want user-level OS timers and delayed local command execution. Avoid storing sensitive commitments until the scope-filtering issue is fixed, and review active reminders, hook commands, .runtime logs, and any --hook-env values before relying on it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The skill description materially understates implemented behavior and platform support, which can cause reviewers, users, or calling agents to make unsafe trust decisions. When a skill can create persisted schedulers, run command hooks, rewrite config, and support more platforms/features than advertised, the mismatch increases the chance of unintended invocation or use in environments where its side effects were assumed impossible.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The description includes broad natural-language trigger phrases like 'remind me', 'wake me', 'every morning', and 'keep poking until I reply', which can cause over-eager routing by an orchestrator. In this skill's context, accidental invocation is more dangerous than usual because the tool creates persistent OS-native scheduled tasks and may later execute user-configured commands under the user's account.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill executes persisted user-configured commands via execFileSync at reminder and reply time under the user's account, but there is no execution-time confirmation, prominent warning, or audit disclosure to the user receiving/scheduling the reminder. In this skill's context, command hooks are a core feature and persist across OS-native schedulers, so a user or upstream agent can create delayed command execution with weak visibility, increasing the chance of stealthy misuse or surprise local code execution.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This is a real privacy and prompt-scope vulnerability: due commitments containing potentially sensitive user-facing text are automatically appended into future agent task prompts based on scope matching, without any explicit user-facing warning or consent at creation time. That can cause unintended disclosure of personal or confidential context to later agent runs, plugins, logs, or downstream model providers, especially because commitments may include sensitive relationship, health, or work details.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/reminders.js:457

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/runtime/openclaw.js:163

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/scheduler.js:46