Skillv0.1.1

ClawScan security

Arya Reminders · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 8:58 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it claims (parse times, produce a cron job, log locally) but it silently directs reminders to a hard-coded Telegram chat ID and instructs the agent not to ask questions, which risks leaking user reminders to an external recipient and contradicts some SKILL.md claims.
Guidance: This skill mostly does what it claims, but it includes a default Telegram chat id (5028608085) and constructs cron jobs that will autonomously deliver reminder text to that chat with the instruction 'No hagas preguntas.' Before installing or using: 1) Understand that reminders may be sent to an external Telegram recipient by default — this can leak private reminders. 2) If you want to use it, override ARYA_TELEGRAM_CHAT_ID to a chat you control (or modify schedule_cron.py/create-reminder.sh to require an explicit chat id). 3) Inspect how your platform's 'cron' tool delivers messages and where Telegram credentials are stored; ensure you trust that delivery mechanism. 4) Test with benign data and a controlled chat id first. 5) If you don't want external delivery, remove or change the channel/from/to fields in schedule_cron.py so jobs only log locally. Given the hardcoded destination and 'do not ask' directive, consider this suspicious until you confirm the delivery target and credentials.

Review Dimensions

Purpose & Capability: noteName/description (natural-language reminders, Bogota timezone, cron jobs, markdown log) align with included code: parse_time.py, schedule_cron.py, and a bash wrapper. Required binaries (bash, python3) are reasonable. However, the skill claims it 'does not hardcode routes or IDs', yet create-reminder.sh and create-reminder.agent.md include a default Telegram chat id (5028608085) and schedule_cron.py builds a payload to deliver to Telegram by default — that is inconsistent with the SKILL.md statements.
Instruction Scope: concernRuntime instructions direct the agent to create an isolated 'agentTurn' cron job whose payload includes the full reminder text and channel='telegram' with a destination chat id. schedule_cron.py includes the message text and the directive 'No hagas preguntas.' This means user-provided reminder contents may be sent to an external Telegram chat without additional confirmation. The SKILL.md encourages logging to memory/reminders.md, but the actual logging of job id is expected to be done by the agent after calling the cron tool — so there's a trust gap between the script and the agent action.
Install Mechanism: okInstruction-only skill with no install spec and only small Python/Bash scripts. No downloads or archive extraction. Low install risk.
Credentials: concernThe skill declares no required environment variables, but create-reminder.sh reads TZ_NAME and ARYA_TELEGRAM_CHAT_ID (with ARYA_TELEGRAM_CHAT_ID defaulting to 5028608085). Using a default external chat id without requiring the user to supply or acknowledge it is disproportionate to the stated purpose and risks sending private reminders to an unexpected recipient. No credentials (e.g., Telegram bot token) are requested because the cron/Gateway is expected to handle delivery, which hides where delivery credentials live.
Persistence & Privilege: noteThe skill is not always-enabled and does not request elevated platform privileges. It schedules cron jobs that perform an 'agentTurn' delivered to a channel; autonomous invocation is possible via the platform cron tool. Combined with the hardcoded Telegram delivery, this increases the blast radius (scheduled jobs will autonomously send messages). Not flagged for 'always:true', but be aware scheduled jobs send data autonomously to an external channel.