Skill Trust Decision
calendar_memo
Skill executes undeclared shell commands via child_process.exec and runs persistent background timers without proper documentation disclosure.
Most direct threat evidence
01
Skill loaded via SKILL.md documentation describing only local scheduling features Entry · SKILL.md
02
onStart() triggers startReminderChecker() which creates persistent setInterval Escalation · SOUL.md
03
Every 60 seconds, checkReminders() builds command string with user-controlled title Execution · reminder.js
Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
2 undeclared or violating capabilities were inferred.
Pass
Hidden execution and egress
No obvious high-risk egress or execution signals were found.
Block
Attack chain and severe findings
The report includes 4 attack-chain steps and 1 severe findings.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
Attack Chain
01
Skill loaded via SKILL.md documentation describing only local scheduling features
Entry · SKILL.md:1
02
onStart() triggers startReminderChecker() which creates persistent setInterval
Escalation · SOUL.md:44
03
Every 60 seconds, checkReminders() builds command string with user-controlled title
Execution · reminder.js:35
04
exec() executes 'openclaw message send' through system shell with potentially unsanitized input
Impact · reminder.js:18
What drove the risk score up
Undeclared shell execution +20
reminder.js uses child_process.exec() to run 'openclaw message send' but SKILL.md only mentions '飞书等通道' without explaining shell command execution mechanism
Hidden persistence mechanism +10
setInterval runs every 60 seconds indefinitely, creating a background daemon. SKILL.md does not mention periodic background activity.
Shell injection risk +10
User-controlled title field is interpolated into shell command string with only quote escaping. Other shell metacharacters not sanitized.
Doc-to-code mismatch +5
SKILL.md declares filesystem:READ but code uses filesystem:WRITE for MEMORY.md. Shell:WRITE usage not declared.
Most important evidence
High Priv Escalation
Undeclared shell command execution
The skill uses child_process.exec() to execute 'openclaw message send' but SKILL.md only mentions '飞书等通道' (Feishu channels) without explaining the shell execution mechanism. Users cannot make informed decisions about allowing this skill.
reminder.js:18 Document shell:WRITE permission and explain that the skill executes external CLI commands for notifications.
Medium RCE
Shell command injection risk in notification function
The sendPushNotification function builds a shell command by interpolating user-controlled event title into a command string. While only double quotes are escaped, other shell metacharacters could potentially be dangerous if the message format changes.
reminder.js:14 Use an array-based exec() API or proper argument escaping via a library like shell-quote instead of string interpolation.
Medium Persistence
Hidden background daemon without disclosure
The skill starts a setInterval timer that runs checkReminders() every 60 seconds. This creates a persistent background process that continues running until skill is explicitly stopped. SKILL.md does not mention this behavior.
reminder.js:55 Document that the skill runs background checks and the interval frequency. Allow users to configure or disable reminder checking.
Low Doc Mismatch
Minor doc-to-code mismatch on filesystem permissions
SKILL.md capability section mentions '读取和编辑MEMORY.md' (read and edit) but only declares filesystem:READ. The code writes to MEMORY.md using writeFileSync.
SOUL.md:13 Update SKILL.md to declare filesystem:WRITE permission.
Declared capability vs actual capability
Filesystem Pass
Declared READ
→ Inferred WRITE
reminder.js:3 - fs module available; SOUL.md:13 - fs.writeFileSync writes MEMORY.md Shell Block
Declared NONE
→ Inferred WRITE
reminder.js:4 - const { exec } = require('child_process'); reminder.js:18 - exec(cmd, callback) Network Block
Declared NONE
→ Inferred WRITE
reminder.js:18 - exec runs 'openclaw message send --channel feishu' which sends network requests Environment Pass
Declared NONE
→ Inferred NONE
No direct environment variable access found Suspicious artifacts and egress
No obvious IOC was extracted.
Dependencies and supply chain
There are no structured dependency warnings.
File composition
4 files · 363 lines
Markdown 3 files · 279 linesJavaScript 1 files · 84 lines
Files of concern · 2
SOUL.md Minor doc-to-code mismatch on filesystem permissions
reminder.js Undeclared shell command execution · Shell command injection risk in notification function · Hidden background daemon without disclosure
Other files · SKILL.md · MEMORY.md
Security positives
No credential harvesting or sensitive data exfiltration detected
No base64 encoding, eval(), or obfuscation techniques found
No network requests to unknown external IPs
Data stays local in MEMORY.md without transmission
User input is processed through structured parsing rather than eval()