Workday Music & Greet
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it claims, but it needs careful setup because it uses SMTP email credentials, local command execution, and recurring cron jobs.
Install only if you want recurring weekday automation that can run local music-control commands and send emails from your SMTP account. Before enabling cron, inspect scripts/config.json, use a restricted email app password, verify the recipient, and know how to remove the scheduled jobs.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can run local commands when a scene is triggered.
The script runs a shell command using a scene value loaded from config.json. This is expected for controlling music scenes, but unsafe config edits could turn it into broader command execution.
execSync(`home-music ${scene.musicScene}`, { stdio: 'inherit', timeout: 15000 });Only use trusted scene names, avoid shell metacharacters in config.json, and prefer a safer implementation such as execFile/spawn with fixed arguments.
Anyone or anything running the configured cron/script with access to the .env file can send the configured greeting emails through that SMTP account.
The skill authenticates to the user's SMTP account to send greeting emails. This is aligned with the email feature, but it grants send-mail authority.
auth: { user: process.env.SMTP_USER, pass: process.env.SMTP_PASS }Use an app-specific SMTP password, verify SMTP_HOST/GREET_TO/SMTP_FROM before enabling cron, and protect or remove the .env file when not needed.
Music changes and greeting emails may continue to run on weekdays until the cron jobs are removed.
The setup script prints recurring OpenClaw cron commands for each configured scene. This is the advertised scheduling behavior, but it creates persistent automation if registered.
openclaw cron add "${expr}" "node ${scriptPath} ${key}"Review each generated cron entry, confirm the schedule and timezone, and keep a record of how to list and remove these jobs.