Back to skill

Security audit

OpenClaw Timebox

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed productivity workflow that keeps local work logs and can optionally sync calendars, notes, and TickTick/Dida tasks.

Install this only if you want detailed daily work records stored locally and optional updates to calendars, TickTick/Dida, Flomo, Notion, Feishu, or Google services. Keep task_sync set to none unless needed, protect the TickTick token file and any API tokens, and avoid sending confidential client or business details to third-party note services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill clearly instructs file writes and network access, yet no permissions are declared. That creates a consent and sandboxing gap: a host may not surface the real capabilities to users or may fail to enforce least privilege before the skill writes config files, logs, tokens, or calls third-party APIs.

Tp4

High
Category
MCP Tool Poisoning
Confidence
83% confidence
Finding
The description mentions integration with external tools, but omits important implementation details: launching a browser, starting a localhost HTTP callback server, requesting OAuth scopes, and persisting tokens on disk. Users may consent to a productivity workflow without realizing the skill can obtain durable third-party access credentials.

Intent-Code Divergence

Medium
Confidence
80% confidence
Finding
The Flomo section says each timebox can be pushed as an independent note, which contradicts the stated rule that only end-of-day summaries should be synced externally. This inconsistency can cause more granular user work records to be transmitted than users expect, increasing privacy exposure.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases include common requests such as “帮我规划任务” and “start timebox,” which can plausibly appear in normal assistant conversations unrelated to explicit skill invocation. This increases the chance of accidental activation, causing the skill to start logging, planning, or initiating external integrations in contexts where the user did not intend to invoke this workflow.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README advertises persistent local logging and automatic synchronization to external services, but does not clearly warn users what data is stored, where it is stored, how long it is retained, or what content is transmitted to Flomo, Notion, Feishu, calendars, or TickTick. In a productivity skill, collected task descriptions, schedules, reflections, and daily summaries can contain sensitive personal or business information, so silent persistence and sync materially increase privacy and data-exposure risk.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Broad trigger phrases like 'timebox', '帮我规划任务', or 'task planning' can activate the skill during ordinary conversation. Because the skill writes logs, schedules reminders, and may sync to external services, accidental invocation can lead to unintended data capture and transmission.

Vague Triggers

Medium
Confidence
87% confidence
Finding
RUN activation phrases such as '开始' or '开始做{任务名}' are extremely common in normal chat. In this skill context, ambiguous activation can create logs, schedule cron jobs, and alter workflow state without clear user intent.

Vague Triggers

Medium
Confidence
86% confidence
Finding
CHECK triggers such as '完成了' or '结束了' are too generic and may match ordinary chat unrelated to this skill. That can cause unintended logging of status updates and external task updates against TickTick/dida records.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill persistently stores detailed daily plans, execution records, CHECK results, and review notes in local Markdown files, but this is not prominently disclosed in the user-facing description. Users may reveal sensitive work content without informed consent about retention and local storage.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill can send task names, summaries, and review-derived content to external services like Flomo, Notion, Google, Feishu, and TickTick, but this is not surfaced as a prominent warning. This creates a real risk of users unknowingly exporting sensitive personal or business information to third parties.

Ssd 3

Medium
Confidence
89% confidence
Finding
The instructions explicitly direct the agent to persist user task details and execution notes into logs and linked tools. Since users may include client names, meeting details, deadlines, or internal project information in natural language, the skill creates a substantial confidentiality risk through broad retention and onward sharing.

Ssd 3

Medium
Confidence
90% confidence
Finding
Daily summaries and review content are synthesized from user inputs and may contain sensitive business, health, or personal information in plain language. Syncing that text to external platforms expands exposure, retention surface, and third-party access beyond the original chat context.

Session Persistence

Medium
Category
Rogue Agent
Content
#### 创建时间盒任务(PLAN 完成时)

```bash
dida task create \
  --title "[Timebox #{N}] {任务名}" \
  --project {dida_project_id} \
  --content "优先级:{priority} · 紧急程度:{urgency}\n计划时间:{HH:MM},时长 {duration} 分钟" \
Confidence
82% confidence
Finding
create \ --title "[Timebox #{N}] {任务名}" \ --project {dida_project_id} \ --content "优先级:{priority} · 紧急程度:{urgency}\n计划时间:{HH:MM},时长 {duration} 分钟" \ --dueDate "{ISO8601_end}" \ --json ``` >

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.