Back to plugin

Security audit

Openclaw Plugin Smart Cron

Security checks across malware telemetry and agentic risk

Overview

The plugin's code, instructions, and manifest are consistent with its stated purpose (running/checking local scripts to gate cron/heartbeat runs); nothing requested or installed is disproportionate — but note that the plugin executes local scripts which inherit the agent's environment and filesystem permissions, so review scripts and config before enabling.

This plugin appears to do what it claims: it runs local check/task scripts to gate or replace scheduled OpenClaw runs. Things to consider before enabling: 1) Only point rules at trusted, auditable executables — the plugin will exec those files and they run with the OpenClaw process' user privileges. 2) Scripts inherit process.env by default (unless you override rule.env), so secrets available to OpenClaw could be accessible to the script — avoid passing secrets or run OpenClaw under a least-privilege account. 3) Use precise match criteria (jobId/runId/agentId) to avoid unintentionally matching many cron jobs; the runtime logs and validateRules warn on empty match blocks. 4) Review any bundled dist artifact or package tarball you install from (this repo includes built JS and a .tgz) and prefer installing from a trusted source. If you want extra assurance, inspect the actual scripts your rules will call, run the plugin in a staging instance, and restrict plugin loading to allowed plugins in your OpenClaw configuration.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.