opencron Security Report — Trusted | ClawSafe

5 /100

opencron

Visual cron job dashboard for OpenClaw — live countdown timers, run history, calendar view

OpenCron is a legitimate visual cron job dashboard for OpenClaw with no malicious behavior detected.

Skill Nameopencron

Duration32.6s

Enginepi

✓

Safe to install

This skill is safe to use. No security concerns were identified.

Findings 2 items

Severity	Finding	Location
Low	git clone not explicitly declared bin/install.js uses execFileSync('git', ['clone', '--depth', '1', ...]) to fetch the opencron-skill repository. This is not mentioned in SKILL.md. However, it is standard npm package behavior and directly supports the tool's installation purpose. `execFileSync('git', ['clone', '--depth', '1', REPO, SKILL_DIR], { stdio: 'inherit' })` → Add 'git clone for skill installation' to the SKILL.md declared capabilities.	`bin/install.js:21`
Info	External network fetch from raw GitHubusercontent update_canvas.py fetches the dashboard HTML from raw.githubusercontent.com/firstfloris/opencron. This is declared in SKILL.md but the URL resolution adds trust surface area. `DASHBOARD_URL = 'https://raw.githubusercontent.com/firstfloris/opencron/master/cron-dashboard.html'` → Consider vendoring the HTML dashboard or adding a checksum/pin.	`update_canvas.py:17`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	generate.py:28 reads ~/.openclaw/cron/jobs.json
Filesystem	`WRITE`	`WRITE`	✓ Aligned	update_canvas.py:24 writes CANVAS_HTML.write_bytes(req.read())
Network	`READ`	`READ`	✓ Aligned	update_canvas.py:22 urllib.request.urlopen(DASHBOARD_URL)
Shell	`WRITE`	`WRITE`	✓ Aligned	watch_sync.sh:9 cp and sleep loop; serve.py:42 HTTPServer
Environment	`NONE`	`READ`	✓ Aligned	SKILL.md references ${OPENCLAW_GATEWAY_TOKEN} and ${CANVAS_PORT} but does not de…

3 findings

🔗

Medium External URL 外部 URL

http://www.w3.org/2000/svg

demo.html:276

🔗

Medium External URL 外部 URL

http://0.0.0.0:

serve.py:60

📧

Info Email 邮箱地址

[email protected]

demo.html:345

File Tree

9 files · 60.9 KB · 1250 lines

HTML 1f · 799L Markdown 2f · 222L Python 3f · 149L JavaScript 1f · 60L JSON 1f · 11L Shell 1f · 9L

├─ ▾ 📁 bin

│ └─ 📜 install.js JavaScript 60L · 1.9 KB

├─ 📄 demo.html HTML 799L · 48.1 KB

├─ 🐍 generate.py Python 47L · 1.3 KB

├─ 📋 package.json JSON 11L · 302 B

├─ 📝 README.md Markdown 92L · 2.0 KB

├─ 🐍 serve.py Python 65L · 1.9 KB

├─ 📝 SKILL.md Markdown 130L · 4.1 KB

├─ 🐍 update_canvas.py Python 37L · 1.0 KB

└─ 🔧 watch_sync.sh Shell 9L · 272 B

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`None (Python stdlib only)`	`N/A`	stdlib	No	No pip packages required
`node (child_process, fs, path)`	`N/A`	Node.js stdlib	No	Standard Node.js built-in modules only

Security Positives

✓ No credential harvesting — OPENCLAW_GATEWAY_TOKEN is used only for URL construction, never exfiltrated

✓ No subprocess/eval with user-controlled input

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No base64 encoding or obfuscation

✓ No data exfiltration to external IPs

✓ No reverse shell or C2 infrastructure

✓ demo.html contains only mock data, no hidden instructions

✓ Python scripts use only standard library (no external dependencies)

✓ File operations are scoped to the .openclaw canvas directory

Scan Report

Findings 2 items

File Tree

Dependencies 2 items

Security Positives