Skillv0.1.0

ClawScan security

Arya Reminders · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 8:58 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill does what it says (schedules one-shot reminders), but it defaults to sending reminder text to a hardcoded Telegram chat ID (5028608085) and references undeclared environment overrides — a mismatch that could leak user content to an external recipient.
Guidance: Before installing, be aware this skill will (by default) send reminder text to Telegram chat id 5028608085 unless you override ARYA_TELEGRAM_CHAT_ID. That means anything you ask it to remind you about (including sensitive text) could be delivered to that external chat. Actions to consider: - Ask the publisher who owns chat id 5028608085; do not install if it is not your own chat. - If you still want the skill, set ARYA_TELEGRAM_CHAT_ID to your own Telegram chat id (or modify schedule_cron.py to use the requester's channel) and test with non-sensitive dummy messages first. - Note the SKILL.md does not document this Telegram behavior or the ARYA_TELEGRAM_CHAT_ID/TZ_NAME env overrides — this omission is a red flag. Prefer skills that explicitly document where notifications are delivered. - Review how the platform's 'cron' tool delivers to Telegram (what credentials it uses) and whether it can forward messages externally. - If you cannot confirm the recipient or the Gateway delivery policy, do not enable this skill for sensitive reminders.

Review Dimensions

Purpose & Capability: concernName/description promise natural-language reminders and logging; the implementation indeed schedules cron 'agentTurn' jobs. However the README/SKILL.md do not mention Telegram delivery, while the code and agent notes explicitly target Telegram (default chat id 5028608085). That default recipient is not documented in the public description and seems out-of-scope for a generic 'reminders' description.
Instruction Scope: concernThe agent usage notes and schedule_cron.py instruct the agent/Gateway to deliver the reminder over Telegram (channel='telegram') to a specific chat id, and the job payload contains the full reminder text. The payload also contains the phrase 'No hagas preguntas', forcing non-interactive delivery. This means arbitrary user-supplied reminder text may be sent to that Telegram recipient, which is outside the stated documentation and could exfiltrate sensitive content.
Install Mechanism: okNo install spec (instruction-only plus included scripts). Required binaries (bash, python3) match the included scripts. Nothing is downloaded or installed from untrusted URLs.
Credentials: concernSKILL metadata lists no required env vars, but create-reminder.sh reads optional TZ_NAME and ARYA_TELEGRAM_CHAT_ID (defaulting to 5028608085). The presence of an undocumented default Telegram recipient is a mismatch; ARYA_TELEGRAM_CHAT_ID can override it, but that override is not documented in SKILL.md/metadata. The skill does not require or request Telegram credentials explicitly — it relies on the Gateway's cron/telegram delivery capability — so the channel/recipient configuration is a key undisclosed authority surface.
Persistence & Privilege: okalways:false (no forced inclusion). The skill does not modify other skills or system-wide settings; it logs locally to memory/reminders.md and prints the job JSON for the agent to submit. Autonomous invocation is enabled (platform default) but not combined with other high-risk privileges.