PomoClaw
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: pomoclaw Version: 1.0.0 The skill is classified as suspicious because its `SKILL.md` instructions explicitly direct the AI agent to execute shell commands using `bash -c` and read local files using `cat`. While these actions are intended for benign purposes (controlling a pomodoro timer via URL scheme and reading its status file), they expose the agent to powerful primitives that could be exploited via prompt injection by a malicious user to execute arbitrary commands or read sensitive files beyond the skill's stated purpose. There is no evidence of intentional malicious behavior within the skill itself, but it demonstrates and enables risky capabilities for the agent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run a local command to start, pause, stop, or query the timer when the user asks.
The skill uses a local command-execution tool to invoke the timer app, which is expected for controlling a macOS URL scheme but is still worth noting.
Run via `nodes.run` on the Mac node using `bash -c "open 'pomoclaw://...'"`
Use the skill only for timer-related requests and avoid broadening the command pattern beyond the documented pomoclaw:// URLs.
Users need to ensure the external PomoClaw app they install is the intended one.
The skill relies on a separately installed external app from a latest-release link rather than an included or pinned install artifact.
**Download:** https://github.com/vkozlovskyi/PomoClaw/releases/latest
Verify the GitHub project and release before installing the app, especially because the registry metadata lists no homepage or install spec.
If used, the PomoClaw app may continue launching automatically after restarts or new logins.
The skill documents a configuration command that can make the timer app start automatically at login; this is disclosed and related to the app's purpose.
pomoclaw://config?launchAtLogin=true # Enable launch at login
Only enable launch at login if the user explicitly wants the timer app to persist across sessions.