Workday Music Greeting
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: workday-music-greeting Version: 1.2.0 The skill contains a critical shell injection vulnerability in `scripts/workday-greeting.js`. The `switchScene` function executes a shell command using `execSync` with the `slot` variable, which can be directly controlled by the user via the `--slot` command-line argument without any validation or sanitization. While the stated purpose of automating music and emails is plausible, this flaw allows for arbitrary remote code execution (RCE) if the agent or a user provides a crafted argument (e.g., `--slot "morning; command_here"`).
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If MUSIC_CMD is set to an unsafe command, running the skill could execute that command locally.
The skill runs a local shell command to switch music scenes. This is purpose-aligned, but the command comes from an environment variable and is executed through the shell.
const cmd = process.env.MUSIC_CMD || 'home-music'; ... execSync(`${cmd} ${slot}`, { stdio: 'inherit', timeout: 15000 });Use only a trusted MUSIC_CMD value, preferably the intended home-music command. A safer implementation would use spawn/execFile with fixed arguments and explicit slot validation.
The skill can send emails using the configured SMTP account.
The skill uses SMTP credentials to send email from the configured account to GREETING_TO, which is expected for its greeting-email purpose.
auth: { user: process.env.SMTP_USER, pass: process.env.SMTP_PASS } ... await transporter.sendMail({ from: process.env.GREETING_FROM || process.env.SMTP_USER, to, subject, html });Use an app-specific password or limited-purpose email account, set GREETING_TO carefully, and do not configure SMTP credentials unless you want the skill to send these messages.
If scheduled, it may repeatedly switch music scenes and send greeting emails at the configured times.
The documentation suggests user-configured cron scheduling, which can make the skill run repeatedly without manual invocation.
Set up as an OpenClaw cron job for fully automatic daily operation
Only create the cron jobs you actually want, verify the timezone and recipient, and remove the schedule if you no longer want automatic behavior.