ClawHub

Cron Limited

Security checks across malware telemetry and agentic risk

Overview

This reminder skill is mostly purpose-aligned, but it creates persistent scheduled messaging and has unsafe scripting that could execute crafted local input.

Review before installing. Use it only if you are comfortable with local reminder storage, daily cron persistence, and automatic future messages to configured recipients. Avoid untrusted reminder text, channel, recipient, lunar date, or timing values until the script safely serializes inputs and uses a declared trusted Python environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to read a local JSON file under ~/.openclaw/cron-limited/birthdays.json and describes persisting birthday configuration there, but it declares no permissions. Undeclared file read/write capability is dangerous because it hides stateful local-data access from users and the platform, reducing auditability and enabling unexpected access to sensitive reminder content and recipient identifiers.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The skill behavior goes beyond its stated purpose by persisting reminder data locally, creating a hidden daily check flow triggered by a special message, and relying on indirect task deletion behavior. This mismatch is risky because users may authorize a simple reminder skill without realizing it creates autonomous recurring actions and local state, which can lead to stealthy message sending or hard-to-audit persistence.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script claims to enforce exactly N executions, but it implements this by creating a separate deletion cron scheduled after an estimated delay. Because the main repeating job is not bounded intrinsically, scheduler timing, drift, queue delays, or cron semantics can allow one or more extra runs before the cleanup job executes, violating the advertised execution limit and potentially causing repeated messages or actions beyond user intent.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill advertises yearly lunar reminders after solar conversion, but this script only stores configuration and creates a daily marker job with a special message, without implementing reminder delivery logic here. This is a security-relevant integrity issue because users may rely on the advertised automation for important reminders, while actual behavior depends on unspecified external agent behavior and may silently fail or be abused if another component interprets the marker unexpectedly.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill description does not warn users that it stores reminder records in a local file and can later send outbound messages automatically based on that stored data. Lack of disclosure undermines informed consent and can expose personal dates, custom messages, and recipient addresses while enabling unexpected autonomous communications.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal