ClawHub

qqbot-remind-absolute

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its reminder purpose, but it has overbroad cron list/delete authority and inconsistent timezone instructions that users should review before installing.

Install only if you are comfortable giving this skill access to manage real OpenClaw cron jobs. Review the script or restrict the OpenClaw account if multiple QQ users or unrelated cron jobs share the same environment, because cancellation is by raw job ID and listing reads the global cron inventory. Also resolve the timezone documentation conflict before relying on time-sensitive reminders.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the agent to read and write local files and execute shell commands, yet it declares no permissions or guardrails. This creates a mismatch between advertised and actual capabilities, which can bypass permission-based review and allow operational side effects such as modifying timezone data or scheduling jobs without explicit approval boundaries.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The reference text says reminder times are resolved to absolute datetimes in Asia/Shanghai, which conflicts with the skill metadata stating reminders require explicit per-user timezone settings. In a reminder system, this can cause reminders to fire at the wrong real-world time for users outside that timezone, undermining user intent and potentially causing missed deadlines or unwanted notifications.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The remove action accepts any job ID and directly calls openclaw cron rm without verifying that the job belongs to the requesting QQ user. In this skill context, reminder IDs can become a cross-tenant capability, allowing one user to delete another user's reminders or potentially other OpenClaw cron jobs if IDs are guessed or obtained.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The list action retrieves the global OpenClaw cron inventory and filters it client-side for the requested QQ target. Even if only filtered results are printed, the skill is granted broader scheduler visibility than necessary, increasing the blast radius of bugs, logging leaks, future code changes, or misuse in a multi-user environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs execution of real system commands that create, update, list, and remove reminder cron jobs, but it does not require an explicit warning or confirmation before performing these side effects. In context, this is more dangerous because the skill is specifically designed to manage real reminders for users, so ambiguous or maliciously phrased requests could cause unintended persistent changes to system state.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The text effectively instructs scheduling in Asia/Shanghai without user choice or opt-in, which is inappropriate for a skill whose purpose is to manage reminders for arbitrary QQ users. Because reminder timing is security- and reliability-relevant for real cron job execution, forcing a fixed timezone can lead to systematic misdelivery and user harm, especially for time-sensitive reminders.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal