ClawHub

Cron Backup

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real local backup skill, but it needs review because it can install persistent cron jobs and includes unsafe shell command execution paths.

Install only if you deliberately want local cron-based backup automation. Use trusted absolute paths, avoid command-string version sources, inspect the exact crontab entry after setup, and test cleanup only on a dedicated backup directory because old backup files may be permanently deleted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script treats the version source as executable input and, in the fallback path, runs it with eval. If an attacker can influence the second argument, they can execute arbitrary shell commands with the privileges of the backup job, which is especially risky for cron-based automation that often runs unattended and sometimes with elevated privileges.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The script is presented as a version-change backup utility, but its implementation expands that scope by executing user-provided commands to obtain the version. This mismatch can cause operators to trust and schedule the script in automation without realizing they are effectively allowing command execution, increasing the chance of unsafe deployment.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This script writes directly to the user's crontab, which creates persistent scheduled execution outside the immediate backup operation. In the context of a backup-scheduling skill this behavior is expected, but it is still a real security-sensitive capability because untrusted or insufficiently validated inputs can install arbitrary recurring commands.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents automated deletion of old backups but does not prominently warn that cleanup is destructive and can permanently remove recovery points if the path, age threshold, or retention settings are wrong. In a backup-focused skill, this is more dangerous because users may trust the automation and schedule recurring deletion against important backup directories without adequate safeguards.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
Using eval on a user-supplied string is a direct command-injection sink. Shell metacharacters, command substitution, chaining, and redirection will be interpreted by the shell, allowing arbitrary code execution if an untrusted or accidentally malformed value is passed as VERSION_SOURCE.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal