Is cron-mastery safe?

https://clawhub.ai/i-mw/cron-mastery

85
SAFE

cron-mastery is a documentation-only skill that teaches OpenClaw agents how to use the platform's cron scheduling system for reminders, recurring jobs, and cleanup. It contains no executable code, no data exfiltration vectors, and no malicious prompt injection. The primary risk surface is behavioral — the skill comprehensively documents agent persistence and autonomous scheduling mechanisms that could theoretically be leveraged by a malicious companion skill. All filesystem activity during installation was attributable to the OpenClaw platform runtime, not the skill itself.

Category Scores

Prompt Injection 78/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (9)

LOW Autonomous deletion logic via Janitor pattern -8

The skill defines a 'Daily Janitor' pattern that instructs the agent to autonomously list and delete cron jobs matching specific criteria (enabled=false, lastStatus=ok) without per-action user confirmation. While this is a legitimate cleanup pattern for one-shot jobs, it establishes a precedent for agent-autonomous resource deletion.

LOW Instructs agent to write to persistent memory -5

The Timezone Lock section instructs the agent to add the user's timezone to MEMORY.md, a cross-session persistence file. This is a documented OpenClaw pattern but represents the skill teaching the agent to modify its own persistent state.

INFO Strong behavioral directives in skill content -4

The skill uses emphatic language ('CRITICAL', 'ALWAYS', 'MUST', 'Never') to shape agent behavior around scheduling patterns. These are appropriate for a tutorial skill but do impose behavioral constraints on the agent.

LOW Self-wake pattern enables persistent agent activation -5

Section 4 teaches agents to schedule self-wake cron jobs to maintain activity across turns. This is a legitimate OpenClaw pattern but documents the mechanism by which an agent can ensure it keeps running — knowledge that could be combined with malicious skills for persistence.

INFO OpenClaw runtime reads AWS credentials during startup -5

The filesystem monitoring shows the OpenClaw platform itself opened /home/oc-exec/.aws/credentials during the gateway initialization sequence. This is platform behavior, not skill behavior, but indicates the runtime environment has access to sensitive credential files.

INFO OpenClaw runtime reads .env and config files during startup -5

Standard OpenClaw initialization reads .env, .profile, .bashrc, and multiple openclaw.json config files. This is expected platform behavior during skill installation.

INFO JIT compilation cache created in /tmp -5

The OpenClaw runtime created multiple .cjs files in /tmp/jiti/ during startup. This is standard jiti (Just-In-Time TypeScript compilation) behavior and is part of the platform, not the skill.

MEDIUM Skill documents agent persistence and autonomous scheduling mechanisms -18

While entirely legitimate as a cron tutorial, this skill comprehensively documents how to: (1) schedule recurring autonomous agent turns, (2) ensure message delivery to users, (3) maintain agent activity across sleep cycles, and (4) autonomously delete scheduled jobs. This knowledge base could be leveraged by a malicious companion skill to establish scheduled exfiltration or social engineering campaigns.

INFO Lock file references unrelated skill -5

The .clawhub/lock.json references 'academic-research-hub' rather than 'cron-mastery', suggesting the test environment had a pre-existing skill installation. This is not a security issue but a minor inconsistency in the audit environment.