cronlint
WarnAudited by ClawScan on May 10, 2026.
Overview
CronLint is mostly a local cron-job scanner, but its license validation builds Python/Node commands from decoded license-token text in a way that could execute local code if a crafted license key is used.
CronLint appears intended to run locally on your codebase, but install with caution until the license-validation code is fixed. Use only trusted license keys, avoid passing secrets with --license-key, scan only intended directories, and install git hooks only if you want automatic commit/push scanning.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed license key could potentially cause local commands to run during license checks, status checks, or paid-tier scans.
The decoded JWT payload and JSON text come from the user-provided license key or local config, then are interpolated directly into Python code strings without escaping or passing via stdin.
exp_val=$(python3 -c "import json; print(json.loads('$decoded').get('exp', ''))" ...)
...
python3 -c "import json; print(json.loads('$json').get('$field', ''))"Do not use license keys from untrusted sources. The skill should parse JSON by passing input through stdin or a file, avoid embedding untrusted text in code strings, and cryptographically verify license signatures.
The skill can access the CronLint license key stored for this skill, but the provided artifacts do not show network transmission of that key.
The skill reads a CronLint API/license key from the environment or the user's OpenClaw config. This is scoped to the skill's own config entry and is expected for paid-tier licensing.
OPENCLAW_CONFIG="${HOME}/.openclaw/openclaw.json"
...
cfg.get('skills', {}).get('entries', {}).get('cronlint', {}).get('apiKey', '')Store only the intended CronLint license key for this skill, and prefer environment or config storage over passing the key directly on the command line.
If hooks are installed, commits or pushes may be blocked by CronLint findings and local scans will run automatically in that repository.
The included lefthook configuration runs CronLint automatically on commit and push after hooks are installed. This is persistent repository behavior, but it is disclosed and aligned with CI/git-hook scanning.
pre-commit: ... hook_cronlint_check ... pre-push: ... bash "$CRONLINT_SKILL_DIR/scripts/dispatcher.sh" --path . --format text
Install hooks only in repositories where you want automatic scans, and remove or disable the lefthook configuration if it interferes with your workflow.
The skill may read and print snippets from local source files in the target directory.
The scanner walks files under the selected target path and records matched source lines for reporting. This is expected for a code-analysis tool and includes exclusions for common vendor, build, binary, and ignored files.
find "$search_dir" -maxdepth 10 ... -type f -print0
...
matched_text="${match_line#*:}"Run scans only on directories you intend to analyze, and review generated reports before sharing them outside your machine or organization.