Back to plugin

Security audit

Openclaw Plugin Smart Cron

Security checks across malware telemetry and agentic risk

Overview

The plugin does what it says — it gates or runs host scripts for cron/heartbeat-triggered runs — but it executes arbitrary local scripts with the host process environment, so you should only install it from a trusted source and review your rules and scripts carefully.

This plugin is coherent with its stated purpose, but it runs local scripts as the OpenClaw process and hands them the process environment. Before installing: (1) only install from a source you trust; review the repository and the scripts you will reference in rules; (2) avoid passing sensitive credentials via process.env or use dedicated, minimal environment variables in rule.env (rule.env overrides are merged but cannot remove existing inherited vars); (3) ensure scripts are owned and permissioned appropriately and placed in locations that untrusted users cannot modify; (4) prefer running scripts under a restricted/no-privilege account or in a sandbox if possible; (5) test in staging to confirm skip codes, timeouts, and failOpen behavior; and (6) monitor logs for unexpected behavior. If you need the plugin to run in a low-risk mode, configure rules conservatively (specific jobId/agentId matching) and explicitly set rule.env to a minimal set of values rather than relying on inherited environment variables.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.