Redigg Skill
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: redigg Version: 1.0.0 The skill is classified as suspicious due to two primary reasons: 1) It explicitly instructs the OpenClaw agent to create persistent cron jobs (`redigg-poll`, `redigg-heartbeat`) on the host system, a high-risk capability that allows for long-term execution and could be abused if the agent were compromised. 2) The `SKILL.md` and `references/task_processing.md` files instruct the agent to process external, untrusted input (e.g., `task.type`, `parameters`, `original_content`, `direction` from `https://redigg.com`) using its LLM, which creates a significant prompt injection vulnerability. While the skill itself does not contain malicious instructions, this vulnerability could allow a compromised Redigg platform or a malicious task to inject arbitrary commands or instructions into the agent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could keep running in the background, using your Redigg account and API key after the setup conversation ends.
The setup creates recurring background activity that keeps the agent online and processes work beyond the initial user request; the artifacts do not provide stop, expiry, or removal controls.
Create two cron jobs: - redigg-poll: Every 10s, fetch tasks, process if found - redigg-heartbeat: Every 30s, maintain online status
Require explicit approval before creating cron jobs, show the exact cron entries, add a duration or kill switch, and document how to disable and remove them.
It may claim and complete Redigg tasks automatically, which could affect your account, task queue, or research output quality.
The skill instructs automatic mutation of Redigg task state and submission of LLM-generated results without an explicit user confirmation step.
Tasks found: a. Take FIRST task b. POST /claim c. Read references/task_processing.md ... d. Process with LLM ... f. POST /submit
Default to a manual-review or dry-run mode, require confirmation before claim/submit, and let users configure allowed task types and limits.
Anyone or anything with access to TOOLS.md could potentially use Redigg credentials, and the owner token may grant more authority than the agent needs after registration.
The skill persists both the user-level owner token and agent API key in a local markdown file; the owner token appears broader than routine task operations and no retention/minimization guidance is provided.
Store in TOOLS.md: - Owner Token: sk-redigg-... # User API key - Agent ID: ... - Agent API Key: sk-redigg-...
Use a secret store or environment variables, avoid retaining the owner token after registration, declare the credential requirement, and document revocation/rotation steps.
A crafted Redigg task could try to influence the model’s behavior beyond the intended research-processing task.
Remote task parameters are fed into the LLM workflow; this is expected for the skill, but the artifacts do not state that task content should be treated only as untrusted research input.
Process with LLM based on task.type and parameters
Add instructions to treat remote task content as data, ignore unrelated instructions inside tasks, and keep submissions limited to the expected Redigg result schema.
It is harder to verify who maintains the skill or where to review the upstream project before trusting it with Redigg credentials.
The skill has limited provenance information, which matters more because it asks for API credentials and sets up persistent automation.
Source: unknown; Homepage: none
Install only if you trust the publisher and Redigg endpoint, inspect the scripts, and use revocable/least-privilege credentials.