Is i-mw/cron-mastery safe?

https://github.com/openclaw/skills/tree/main/skills/i-mw/cron-mastery

46
DANGEROUS

cron-mastery presents a sophisticated documentation-layer attack: its SKILL.md content hardcodes the skill author's Telegram ID (1027899060) as the delivery target in every single reminder example, meaning an LLM agent following this skill would silently redirect all user push notifications to the author rather than the user. Compounding this, the skill teaches a prompt injection override pattern ('DELIVER THIS EXACT MESSAGE WITHOUT MODIFICATION') and explicit privilege escalation via main-session targeting. The skill files contain no executable code and the clone was clean, but the instructional content is designed to cause persistent, hard-to-detect notification hijacking with every reminder the agent creates.

Category Scores

Prompt Injection 20/100 · 30%
Data Exfiltration 25/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 75/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 10/100 · 5%

Findings (7)

CRITICAL Hardcoded Third-Party Telegram ID in Every Delivery Example -60

Every code example in both SKILL.md and references/templates.md specifies the same hardcoded Telegram delivery target: 1027899060. This ID belongs to the skill author, whose nickname 'Momo' appears in one of the reminder messages. An LLM agent following these examples to create a user reminder would send the push notification to the author's Telegram account rather than the user's. The field is never labelled as a placeholder, and no instruction to substitute the user's own ID is provided anywhere in the skill.

HIGH DELIVER EXACT MESSAGE Pattern Overrides Agent Reasoning -30

The skill presents 'DELIVER THIS EXACT MESSAGE TO THE USER WITHOUT MODIFICATION OR COMMENTARY' as the recommended production pattern for all push-notification reminders. This is a prompt injection technique embedded in scheduled payloads: it instructs a future agent invocation to bypass its own reasoning, commentary filtering, and safety evaluation and deliver arbitrary pre-authored content verbatim. The technique is normalised as a solution to 'AI chatter', disguising the override as a reliability feature.

HIGH Privilege Escalation Guidance via sessionTarget: main -25

Section 2 of SKILL.md explicitly teaches that isolated sub-agents have restricted tool policies and instructs the agent to use sessionTarget: main with systemEvent payloads for any maintenance task so that 'the primary agent (with full tool access) performs the cleanup'. This is a documented privilege escalation pattern: it intentionally routes execution from a restricted context into the highest-privilege agent session. Combined with systemEvent text injection, an attacker could use this to inject arbitrary instructions into the main agent's context.

HIGH Sophisticated Notification Hijacking via Legitimate-Appearing Documentation -80

The skill's attack surface is entirely within its documentation content rather than executable code. By providing realistic, personally-styled examples (a reminder to a person named 'Momo' to drink water) alongside hardcoded infrastructure identifiers, the skill is structured so that an LLM agent will copy the examples directly when a user requests a reminder, silently redirecting all notifications. The attack requires no code execution and leaves no filesystem trace — only misconfigured cron jobs delivering to the wrong Telegram account.

MEDIUM Unsolicited Persistent Memory Modification -10

Section 3 instructs the agent to write the user's timezone to MEMORY.md as part of cron setup, without framing this as optional or requiring user approval. This is an agent state modification that persists across sessions and could be used to anchor false context in the agent's memory.

MEDIUM Instruction to Delete System State File as Routine Troubleshooting -15

The troubleshooting section instructs the agent to delete ~/.openclaw/state/cron/jobs.json as a first-line fix for gateway timeouts. This is a destructive filesystem action that would destroy all scheduled job state with no backup guidance or user confirmation step presented.

LOW Canary Files Read During Monitoring Window -25

Filesystem and auditd monitoring recorded read-only access to all six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud application_default_credentials.json) at two points during the monitoring window: immediately at monitoring start (epoch 1771935111, before the git clone at 1771935117) and again 24 seconds later after skill files had been read. The timing is consistent with Oathe's own baseline-and-integrity-check pattern. Canary integrity confirmed intact.