by 安全扫描
OpenClaw
可疑
medium confidence该技能的目的(计划未来代理操作)与其安装和请求相符,但运行时代码使用用户提供的字段构建 shell 命令,缺乏强大的清洗,存在命令注入/滥用风险,SKILL.md 中要求用户避免而不是强制执行。
评估建议
该技能一般按照描述工作——计划 OpenClaw 代理在后期运行——但目前依赖调用者避免危险输入而不是强制执行安全性。安装前:1) 确认 `OPENCLAW_BIN` 指向可信、最低权限的 OpenClaw 二进制文件。2) 查看或修改 `to-do.js` 避免基于 shell 的 exec 插值(使用 spawn/execFile 与参数数组或严格验证/清洗 `userId`、`channel` 和任务内容)。3) 在非生产环境中测试计划以确认无命令注入路径(尝试攻击者样式输入)。4) 更倾向于限制计划消息为非敏感内容,避免在计划指令中嵌入秘密或写访问文件路径。如果您想要更高的保证,请要求作者添加输入验证并更改为更安全的 API;这样做会将信心从中等提升到高。...详细分析 ▾
✓ 用途与能力
Name/description, required binary (node), and the two env vars (OPENCLAW_BIN, OPENCLAW_TZ) align with a scheduler that calls the OpenClaw agent at a future time. The script uses OS schedulers ('at' / 'schtasks') and invokes the openclaw binary to deliver messages, which is expected for this functionality.
⚠ 指令范围
SKILL.md explicitly instructs careful sanitization (no shell metacharacters, use only raw alphanumeric for user_id/channel) and to create fully self-contained instructions. However the code does not enforce those constraints: userId and channel are interpolated into shell commands without validation or escaping on POSIX/Windows flows. The skill therefore relies on politeness of callers rather than safe code, increasing risk of command injection or scheduling of malicious/overly-privileged actions. The skill also encourages including exact file paths and tool names in scheduled instructions — reasonable for clarity but increases chance of scheduling sensitive operations.
✓ 安装机制
No install spec (instruction-only with provided JS file). Required runtime is node; no external downloads or archive extraction. Low install risk.
ℹ 凭证需求
Only OPENCLAW_BIN and OPENCLAW_TZ are required, which is proportionate for a scheduler that must call a local openclaw binary and interpret user timezone. However OPENCLAW_BIN points to a binary that will be executed later; if that binary is untrusted or has broad privileges, scheduled tasks can later trigger powerful actions. The skill does not request other secrets or credentials.
ℹ 持久化与权限
always is false (normal). The skill writes nothing itself but creates OS scheduler entries (at/schtasks) which persist and will run the openclaw agent at scheduled times. That persistence is appropriate for a scheduler but does increase blast radius because tasks run autonomously later; combined with the command construction issues this is a significant concern.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.32026/2/24
改进 SKILL.md 提示设计:更清晰的命令使用、更严格的计划防护、更强的反模糊/安全规则,以及扩展的自包含未来指令示例。无运行时代码更改。
● 可疑
安装命令
点击复制官方npx clawhub@latest install to-do
镜像加速npx clawhub@latest install to-do --registry https://cn.longxiaskill.com镜像同步中
技能文档
SKILL: To-Do (临时任务) 跨平台任务调度器,使用操作系统本地调度器(Linux/macOS 上的 at,Windows 上的 schtasks)计划一次性延迟操作。确保代理在未来确切时刻醒来,具有完整的上下文注入。 计划、列出和管理在用户时区的精确时间触发的临时任务——确保未来代理醒来时具有完全自包含的指令、正确的路由和零模糊性。