Back to skill
Skillv1.0.0
ClawScan security
Cron Job Token Auditor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 12, 2026, 11:48 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill is an instruction-only, read-only auditor for OpenClaw Gateway cron jobs and its requirements and instructions are consistent with that purpose.
- Guidance
- This is a read-only advisory skill and appears coherent: it will examine jobs.json or use the OpenClaw CLI to produce audit reports and migration suggestions. Before installing, confirm that the agent will only be given access to the job definitions you want it to see (do not upload secrets or API keys). If you paste job JSON for review, redact any inline tokens/IDs you don't want exposed. Remember the agent could be invoked autonomously by default—if you prefer manual invocation, keep using it only on demand. If you need higher assurance, request the skill author to publish a minimal CHANGELOG or sign-off, but functionally the skill is proportionate to its purpose.
Review Dimensions
- Purpose & Capability
- okName/description match the runtime instructions: the skill only needs to read jobs.json or use the OpenClaw CLI to classify scheduled jobs and recommend script-based migrations. No unrelated binaries, services, or credentials are requested.
- Instruction Scope
- okSKILL.md confines itself to reading job definitions (jobs.json or openclaw cron), heuristics for classification, redaction of secrets, and producing a report. It explicitly forbids editing jobs.json or system units unless the user requests drafts; it does not instruct the agent to read other system files or exfiltrate data to external endpoints.
- Install Mechanism
- okThere is no install spec and no code files—this is documentation-only. Nothing is downloaded, written, or executed by the skill itself, minimizing install-time risk.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The operations described (reading jobs.json or invoking the OpenClaw CLI) align with the skill's stated purpose and do not request excessive permissions.
- Persistence & Privilege
- okalways:false and normal autonomous invocation are appropriate. The skill does not request permanent system changes or to modify other skills/configs; SKILL.md explicitly forbids automatic edits.