ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cron Setup

v1.0.0

Create and manage OpenClaw cron jobs following our conventions. Use when setting up periodic tasks, reminders, automated checks, or any scheduled work.

0· 657·4 current·4 all-time
by@brennerspear
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to be a cron-job convention guide and most instructions align with that purpose, but the Job Template sets payload.model to an OpenRouter DeepSeek model while the text repeatedly says to default to anthropic/claude-sonnet-4-5 and explicitly notes that no OpenRouter key is needed. That mismatch is incoherent: a cron setup that 'doesn't need OpenRouter' should not use an openrouter model in its template. Also the SKILL.md embeds a hard-coded Telegram channel target (-1003856094222) and topic IDs — baking a fixed external destination into the conventions is a design choice that may not belong in a generic cron-setup skill.
!
Instruction Scope
Instructions require cron jobs to post results to Telegram using a 'message' tool and to include exact bash commands and error handling. The SKILL.md instructs posting to a specific channel and specific topic IDs; it also references tools like 'cron list' and a 'message' tool that are not declared in the skill metadata. Because the skill encourages sending arbitrary job output to a fixed external endpoint, it broadens the scope to include potential transmission of sensitive data.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so there is no installer risk or remote code download to evaluate.
!
Credentials
The skill declares no required environment variables or credentials, yet the guidance assumes the agent has a 'message' tool capable of posting to Telegram and the job template includes an OpenRouter model string (openrouter/...). If an OpenRouter model is actually used it would typically require an API key (not declared). Likewise, posting to Telegram normally requires credentials or a configured tool; those are not documented. The absence of declared credential requirements is disproportionate to the external actions the instructions expect.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide config, and is instruction-only. It does not demand persistent presence or elevated platform privileges.
What to consider before installing
This skill is mostly a straightforward cron-job style guide, but you should not install or run it without clarifying a few things: (1) Ask the author to explain and fix the model inconsistency (text recommends anthropic/claude-sonnet-4-5 but the example uses openrouter/deepseek). If openrouter models are required, ask where the API key is stored and why it wasn't declared. (2) Confirm how Telegram posting is authenticated: the SKILL.md hardcodes a Telegram channel ID and topic IDs but declares no credentials — verify who controls that channel and whether you want scheduled jobs posting there. (3) Consider removing or parameterizing hard-coded targets (channel ID and topic IDs) so jobs don't inadvertently leak sensitive output to a shared external channel. (4) Test in a safe environment with non-sensitive payloads before enabling production runs, and require explicit environment variables or admin approval for any job that posts externally. If the author cannot justify the model/template mismatch and the embedded Telegram targets, treat the skill as unsafe to enable.

Like a lobster shell, security has layers — review code before you run it.

latestvk976r2ej0fy4c5rrf207ga5df181vk9d
657downloads
0stars
1versions
Updated 5h ago
v1.0.0
MIT-0
@brennerspear
latest
Download

Cron Job Setup

Our conventions for creating cron jobs in OpenClaw.

Default Settings

SettingDefaultWhy
Modelanthropic/claude-sonnet-4-5Reliable tool calls, works with any Anthropic Max plan — no OpenRouter needed
SessionisolatedCron jobs run in their own session, not the main chat
Delivery"mode": "none"Job handles its own output (posts to Discord, etc.)
Timeout120-180sMost jobs should finish fast

Model Notes

  • Default to Sonnet (anthropic/claude-sonnet-4-5). Reliable, portable (no OpenRouter API key needed).
  • DeepSeek is unreliable for tool calls — don't use it for cron jobs.
  • Use Opus (anthropic/claude-opus-4-6) only as a last resort — expensive for scheduled tasks.
  • Model ID format: Use anthropic/claude-sonnet-4-5 not the full dated version (anthropic/claude-sonnet-4-20250514).

Job Template

{
  "name": "descriptive-kebab-case-name",
  "schedule": {
    "kind": "cron",
    "expr": "*/30 * * * *",
    "tz": "America/New_York"
  },
  "sessionTarget": "isolated",
  "payload": {
    "kind": "agentTurn",
    "message": "TASK INSTRUCTIONS HERE",
    "model": "openrouter/deepseek/deepseek-v3.2",
    "timeoutSeconds": 120
  },
  "delivery": {
    "mode": "none"
  }
}

Schedule Patterns

PatternCron ExpressionNotes
Every 30 min*/30 * * * *Good for inbox checks, monitoring
Every hour0 * * * *Self-reflection, status checks
Daily at 4 AM0 4 * * *Cleanup, backups (during quiet hours)
Daily at 6 AM0 6 * * *Morning digests, daily summaries
Weekly Monday 2 PM0 14 * * 1Weekly outreach, reviews
One-shotUse "kind": "at" insteadReminders, one-time tasks

Task Instruction Conventions

  1. Be explicit with commands — Give the cron agent exact bash commands to run. It doesn't have our context.
  2. Include skip conditions — If there's nothing to do, the agent should reply SKIP to avoid wasting tokens.
  3. Handle its own output — The job should post results to Telegram (or wherever) using the message tool directly. Don't rely on delivery mode for formatted output.
  4. Include error handling — What should happen if a command fails?
  5. Keep instructions self-contained — The cron agent wakes up with no context. Everything it needs should be in the task message.

Telegram Posting from Cron Jobs

When a cron job needs to notify us, include these instructions in the task:

Post to Telegram using the message tool:
- action: send
- channel: telegram
- target: -1003856094222
- threadId: TOPIC_ID
- message: Your formatted message

Topic IDs:

  • 1 — Main topic (general updates, alerts)
  • 573 — Research
  • 1032 — Crypto
  • 1488 — PR updates / dev notifications
  • 1869 — Sticker store
  • 3188 — Activity feed (workspace changes)

Delivery Modes

ModeWhen to Use
"mode": "none"Job posts its own output to Telegram (most common)
"mode": "announce"OpenClaw auto-delivers the agent's final message to a channel. Use when output IS the message (e.g., daily digest). Set "channel": "telegram" and "to": "-1003856094222:TOPIC_ID"

Anti-Patterns

Don't use Opus for cron jobs unless the task genuinely needs it. Most cron tasks are simple checks. ❌ Don't use heartbeat for things that can be a cron job. Heartbeat runs in the main session (Opus) and costs way more. ❌ Don't create cron jobs that loop/poll — each run should be a single check. If you need polling, use a background exec script instead. ❌ Don't set delivery mode to "announce" and also have the job post to Telegram — you'll get duplicate messages.

Existing Jobs (Reference)

Check current jobs anytime with the cron list tool. As of setup:

  • workspace-activity-feed — Every 30 min, commits workspace changes, posts to activity feed
  • agentmail-inbox-check — Every 30 min, checks for new emails, responds to agents
  • sub-agent-monitor — Every 15 min, checks on stalled sub-agents
  • self-reflection — Hourly, reviews recent sessions for lessons learned
  • daily-workspace-commit — Daily 4 AM, git commits workspace changes
  • system-watchdog — Daily 4 AM, checks system resources
  • OpenClaw Daily News Digest — Daily 6 AM, generates news digest
  • sticker-sales-loop — Weekly Monday 2 PM, agent outreach for sticker store

Comments

Loading comments...