← Back to Skills Marketplace
m646pxhjf4-dot

Outbound Auto Setup

by m646pxhjf4-dot · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
80
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install outbound-auto-setup
Description
自动监听外出关键词,提取日期时间地点事项,自动创建并验证Apple提醒、cron推送及待办任务提醒。
Usage Guidance
This skill largely implements what it claims but has several issues you should address before installing: - Missing/undeclared dependencies: the code calls external commands (remindctl) and a script node create-cron-job.js, but the registry metadata lists no required binaries and create-cron-job.js is not included — expect runtime failures or silent behavior. Install and verify remindctl yourself or provide the missing cron-creation script. - Privacy: the hook logs full message text plus userId and channelId to ~/.openclaw/logs/outbound-auto-setup.log and writes to ~/.openclaw/workspace/memory/pending-tasks.md. If you enable this hook, those files will contain message contents and identifiers. Review/logrotate or restrict access if that is sensitive. - Autonomy vs confirmation: SKILL.md says it will ask first-time users for confirmation, but the code defaults CONFIG.enabled = true (and hook config enabled true). If you want manual approval, set CONFIG.enabled = false or don't enable the hook until you review code. - child_process.exec usage: the code shells out (exec). That works for integration but can be risky if commands or arguments are constructed from untrusted data. Review the command construction (remindctl arguments) and consider sanitizing inputs. Recommended steps before enabling: 1. Inspect the code locally and run tests (npm test). 2. Provide or review the missing create-cron-job.js or modify setupOutbound to a safe, included implementation. 3. Install and test remindctl in a controlled environment. 4. Set CONFIG.enabled = false until you're ready, and verify log/pending file locations and access controls. 5. If you need stricter behavior, modify the skill to require explicit user confirmation before creating reminders.
Capability Analysis
Type: OpenClaw Skill Name: outbound-auto-setup Version: 1.0.0 The skill bundle contains a critical shell injection vulnerability in `index.js`. The `setupOutbound` function uses `child_process.exec` to execute the `remindctl` command, incorporating unsanitized strings (`location` and `task`) extracted directly from user messages via regex. While the code appears intended for legitimate task automation, the lack of input validation allows a user to execute arbitrary shell commands. No evidence of intentional malice or data exfiltration was observed, but the implementation is highly insecure.
Capability Assessment
Purpose & Capability
The skill's stated purpose (detect outbound messages and create Apple reminders, cron pushes, and pending-tasks entries) matches the code behavior (parsing messages, running a reminder CLI, appending a pending-tasks file). However the package metadata declares no required binaries or prerequisites even though the code execs external commands (remindctl and a create-cron-job.js script). Also the referenced create-cron-job.js is not present in the repo — a clear mismatch between claimed capabilities and the shipped files.
Instruction Scope
Runtime instructions and code stay within the stated domain (message parsing, creating reminders, writing logs and a pending-tasks file). The skill logs full incoming messages along with userId and channelId to a local log file and appends to ~/.openclaw/workspace/memory/pending-tasks.md — this is expected for its purpose but has privacy implications (it records message content and metadata). The SKILL.md also claims a 'first-use confirmation' but the code defaults to enabled=true, so the claimed user confirmation step is not enforced.
Install Mechanism
No install spec (instruction-only) and the repository contains plain JS files. Nothing in the repo downloads code at runtime or uses obscure external URLs. The risk is limited to the code that will run locally — particularly child_process.exec usage — but there is no high-risk installer URL or archive.
Credentials
The skill requests no credentials/env vars in metadata. It does use process.env.HOME implicitly to locate logs and the pending-tasks file, which is reasonable. No external API keys or unrelated secrets are requested. Still, it reads and records message contents and user/channel IDs — sensitive data but proportional to being a message hook.
Persistence & Privilege
The skill is designed as a message hook (hook-package.json/hook.js) and when enabled will see all incoming messages routed to that hook. 'always' is false (good). The practical effect: if you enable the hook the skill will automatically process messages (potential privacy exposure). It does not appear to alter other skills' configs or require elevated system-wide privileges.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install outbound-auto-setup
  3. After installation, invoke the skill by name or use /outbound-auto-setup
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release (v1.0.0) - Supports automatic detection of outbound-related keywords in user messages - Extracts date, time, location, and task details from messages - Automatically creates reminders in Apple Reminders, sets up cron notifications, and updates pending tasks - Verifies all configurations and provides a complete validation report to the user
Metadata
Slug outbound-auto-setup
Version 1.0.0
License MIT-0
All-time Installs 1
Active Installs 1
Total Versions 1
Frequently Asked Questions

What is Outbound Auto Setup?

自动监听外出关键词,提取日期时间地点事项,自动创建并验证Apple提醒、cron推送及待办任务提醒。 It is an AI Agent Skill for Claude Code / OpenClaw, with 80 downloads so far.

How do I install Outbound Auto Setup?

Run "/install outbound-auto-setup" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Outbound Auto Setup free?

Yes, Outbound Auto Setup is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Outbound Auto Setup support?

Outbound Auto Setup is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Outbound Auto Setup?

It is built and maintained by m646pxhjf4-dot (@m646pxhjf4-dot); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments