openclaw-cron
Warn
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides wrappers for the
openclaw cronCLI, allowing an agent to schedule and execute arbitrary shell commands and system tasks.\n - Evidence: Multiple examples in
SKILL.mdandreferences/cron-commands.mddemonstrate usingopenclaw cron addto run logic in the background.\n- [DATA_EXFILTRATION]: The skill includes documentation examples with hardcoded external destinations, which may lead to unauthorized data transmission if used without modification.\n - Evidence:
SKILL.mdandreferences/cron-commands.mdspecify a hardcoded Telegram chat ID (5223431061) in example delivery options.\n - Evidence: A 'Daily Backup' example in
references/cron-commands.mdshows a command sequence designed to push local files to a remote GitHub repository viagit push.\n- [REMOTE_CODE_EXECUTION]: The skill facilitates the execution of local scripts and interactions with remote services through the persistence layer.\n - Evidence: The 'Daily Backup' example contains a shell command chain:
python3 ~/.openclaw/workspace/skills/openclaw-backup/scripts/backup.py --name daily && git push.\n- [PROMPT_INJECTION]: The skill provides an interface for scheduling tasks based on natural language messages that creates a surface for indirect prompt injection.\n - Ingestion points: The
--messageargument in theopenclaw cron addcommand (found inSKILL.md).\n - Boundary markers: The skill does not provide or require delimiters to separate user input from the instructions processed by the agent during scheduled execution.\n
- Capability inventory: The skill has the ability to manage persistence (cron), execute shell commands, and perform network operations via the referenced CLI tool.\n
- Sanitization: There is no evidence of validation or escaping of the message content before it is stored for future execution.
Audit Metadata