Cronjob
Security checks across malware telemetry and agentic risk
Overview
This appears to be a local-only cron logging helper; the main things to notice are persistent plain-text logs, raw exports, and a minor install/dependency disclosure gap.
Use this as a local cron/job note and history tool, not as a full automatic cron manager. Do not put secrets, API keys, or sensitive command output into log entries. Before exporting or sharing data from `~/.local/share/cronjob/`, review the files for sensitive content and be careful opening CSV exports in spreadsheets.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may require manual setup or a wrapper command before `cronjob` works, and users should ensure they are installing the reviewed script rather than an unreviewed copy.
The registry metadata under-declares the local Bash/Unix dependency and does not provide an install mechanism even though a runnable script is present. This is not suspicious by itself, but users should manually verify how the script is installed.
Required binaries (all must exist): none ... No install spec — this is an instruction-only skill. ... Code file presence: scripts/script.sh
Install only from the declared source or reviewed artifact, and verify that Bash and the documented Unix utilities are available.
Sensitive job names, failure messages, file paths, or credentials typed into log entries could remain on disk and later be shown or exported.
The skill intentionally persists user-provided cron/job observations and history in local plain-text files. This is disclosed and purpose-aligned, but those entries may contain operational details or secrets if the user includes them.
All data is stored locally in plain-text log files ... Location: `~/.local/share/cronjob/` ... History: All operations are additionally logged to `history.log` ... Export
Avoid logging secrets or tokens, review the local data directory before sharing exports, and delete old logs if they are no longer needed.
If log entries contain quotes, commas, newlines, or spreadsheet formulas, exported files may display incorrectly or behave unexpectedly when opened in downstream tools.
Exported JSON and CSV values are written directly from stored log text without visible escaping or CSV quoting. A strange or untrusted log entry could produce malformed exports or be misinterpreted by spreadsheet/dashboard tools.
printf ' {"type":"%s","time":"%s","value":"%s"}' "$name" "$ts" "$val" >> "$out" ... echo "$name,$ts,$val" >> "$out"Review exported files before importing them into spreadsheets or dashboards, and avoid logging untrusted formula-like text such as values beginning with `=`, `+`, `-`, or `@`.