Is remindme safe?

https://clawhub.ai/JacobTheJacobs/remindme

85
SAFE

This is a clean, prompt-only reminder skill with zero executable code, no dependencies, no network activity, and intact canary files. The skill provides well-structured natural language parsing instructions for scheduling reminders via the platform's cron API. Minor concerns include an autonomous Janitor cleanup template, MEMORY.md access for preferences, and the 'last' channel fallback, but none represent meaningful security risks.

Category Scores

Prompt Injection 78/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (5)

LOW Janitor template enables autonomous job deletion -10

The TEMPLATES.md file includes a 'Janitor' cron job that instructs the agent to autonomously list and delete cron jobs whose names start with 'Reminder:' and are disabled. While scoped, this creates an autonomous deletion pattern that could interact poorly with other skills using similar naming conventions.

LOW Extensive agent behavioral shaping via structured instructions -7

The skill provides a detailed 4-layer parsing pipeline, delivery channel detection logic, and validation rules that significantly shape agent behavior. While this is expected and legitimate for a reminder skill, the instruction surface area is large, which increases the potential for unintended behavioral interactions with other skills.

LOW MEMORY.md read access for preferences -5

The skill instructs the agent to check MEMORY.md for timezone overrides and preferred reminder channels. This is legitimate but grants the skill awareness of user memory contents during execution.

INFO Platform reads .env and .aws/credentials during startup -10

Filesystem monitoring shows the OpenClaw platform (not the skill itself) reading /home/oc-exec/.env and /home/oc-exec/.aws/credentials during gateway initialization. This is platform behavior, not attributable to the skill, but is noted for completeness.

INFO Fallback to 'last' channel could deliver to unintended context -5

When no explicit channel is specified and no preferred channel exists, the skill falls back to channel: 'last', which delivers to wherever the user last interacted. In edge cases, this could send a reminder to an unintended audience (e.g., a group chat).